• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content




Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking ...

Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking students for home tution. We at Mentor Me provide highly qualified, result oriented, enthusiastic and responsible tutors for all classes, all subjects and in all locations across Delhi & all over India. Here we have tutors for all subjects of CBSE, ICSE,B.com, B.Sc, BBA, BCA,MBA,CA,CS,MCA,BCA,”O” Level, “A” Level etc.GOFORTUTION is a best portal for tutors and students it is not only a site.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    gofortution gofortution Presentation Transcript

    • Hacking Web Applications
    • WWW
      • Enable
        • Online shopping
        • Online banking
        • Online research information
        • Information searching (global library)
        • Communication
    • Web Application Architecture
      • three-tier architectures
        • client-server (request-response) relationship between
          • (a) the client and the Web server and
          • (b) the Web server and the database server.
        • The first relationship uses the HTTP protocol and the second relationship uses the database query language SQL (primarily).
        • Clients (HTML, CSS, JavaScript)
        • Web servers (Apache) with scripting language (Python, PHP)
        • Database servers (MySQL, PostgreSQL)
    • HTML
      • Markup language; defined by tags to define format of information presentation
      • Data presentation engine for web applications (client and server sides)
      • Abuse tags
        • User input <INPUT> - hidden
          • specifies value not displayed in the browser; but get submitted with other data input to the same form
          • Can be altered at client side and post it to server side
      • Drawback – static format; replace by XML – more extensible and flexible in representing all types of data
    • HTTP
      • Medium of communication between client and server
        • Simple – limited set of basic functionalities, request and response; define a mechanism to request a resource (URL); server returns resource if available; no need to understand cryptic syntax
        • Stateless – if request for a resource and receive a respond; then request another, server regards as a wholly separate and unique request; no session maintain; hackers does not need to plan for multistage attacks
        • Text-based – require to complexity in understanding binary encoding scheme or to use translator; all request and respond in clear text
      • Todays, many web applications tunnel HTTP over SSL which provides transport-layer encryption; intermediary devices cannot read; SSL does nothing for the overall security of a web application other than to make it more difficult to eavesdrop on the traffic between client and server
    • Web Client
      • Web browser
      • One of the greatest weapons available to attackers today
      • Communicate with server using HTTP and presented with HTML
      • Allows request for other resources (FTP), speaking to other protocol (SSL) etc
    • Web Server
      • Describe as HTTP daemon
        • Receive client request, perform basic parsing on request to ensure the resource exist, hand it to web application logic for processing; logic returns a response, HTTP daemon return it to client
      • Popular web server packages
        • IIS
        • Apache server
    • Web applications
      • Server-side logic
      • So called n-tier architecture
      • Comprises of
        • Presentation layer – receiving input and display result
        • logic layer – taking input form p.l. and perform some tasks and return result
        • data layer – non-volatile storage of information; can be queried or updated
    • Intermediaries
      • To make web application architecture more scalable, need to have
        • Proxies
          • Single gateway through which all connections had to pass
          • Terminate initial browser request and then request the original resource on behalf of the client
          • Gateway able to cache commonly requested Internet content to save bandwidth and increase performance
          • Bad side – difficulty in tracing clients’ addresses since all indicate proxy’s address; how to differentiate clients?
        • Load balancers
          • Reverse proxy; managing incoming load of client requests and distributing them across identical configured web servers; transparent to clients
          • Categorized into static (request routed in a predetermined fashion like RR) or dynamic (requests are shunted to servers based on some variables such as least connections or fastest link)
          • CISCO Local Director, F5’s Big-IP
    • Potential weak spots
      • Web client – active content execution ( small executables or script code that could be rendered within a browser to provide dynamic client-resident executable behavior that could offload a lot of server logic – Microsoft Active X and Sun’s Java ) , client software vulnerability exploitation, cross-site scripting errors ( improper input sanitation on the server side, which allows input of script commands that are interpreted by the client-side browser – refer example pg. 289-292)
      • Transport – eavesdropping on client-server communications, SSL redirection
      • Web server – web server software vulnerabilities
      • Web application – attacks against authentication, authorization, input validation, application logic
      • Database – running privileged commands, query manipulation
    • Methodology of web hacking
      • Profile the infrastructure
      • Attacks web servers
      • Survey application
      • Attack authentication mechanism
      • Attack authorization schemes
      • Perform functional analysis
      • Exploit data connectivity
      • Attack management interfaces
      • Attack client
      • Launch DOS attack
    • Profile the infrastructure
      • Identifies most basic components of web application
        • Server IP address, virtual IPs
        • Server ports and other services
        • Server type and version
      • How?
        • Simply append www. and .com (or .org or .edu or .gov) and there are very good chance of finding a web server
        • Internet foortprinting – to create complete profile of a target information technology infrastructure; primarily carried out with whois utility (managed to find assigned Internet IP address ranges, registered DNS domain names and related data and administrative contact for an Internet presence)
        • http://www.arin.net/whois.
          • DNS interrogation
            • Start nslookup client
            • Specify DNS server to query
            • ls –d domain
          • Ping – most basic approach to discover server
          • Port scanning – most efficient method; attempts to connect to a specific set of TCP and/or UDP ports and determine if a service exists. If a response received, then responding IP address is “live” address; need to have comprehensive list of potential ports
      • Service discovery
        • Once server had been identified, figure out what ports are running HTTP (or SSL) with port scanning method
        • Running a scan for services can be done straightforward with fscan command
          • D:> fscan –qp 80, 81, 88, 443 …..
          • Will return any servers’s IP running web-related services
    • Attacks web server (IIS)
      • IIS security vulnerabilities are group into
        • Attacks against IIS components
          • IIS relies on its DLL which provides various capabilities to server (script execution, content indexing, web-based printing etc); these functions can be invoked by requesting a file with appropriate extension from IIS (example .prt) – ISAPI (Internet Server Application Programming Interface) DLLs
            • Extreme case involves buffer overflow – (NIMDA, Code Red worms) – IIS halted
          • Countermeasures for ISAPI DLLs
            • Remove unused extension mappings
            • Keep up with Microsoft service packs and hotfixes
            • Use IISLockDown and UrlScan
              • IISLockDown – automated, template-driven utility for applying security configurations to IIS
              • UrlScan – manually installed to server, an ISAPI filter which must be located in front of IIS so that it will intercept HTTP requests before IIS; determine which HTTP will be rejected (HTTTP 404 “Object Not Found” to deny requests)
      • Automated vulnerability scanning software
        • Whisker
        • Nikto
        • Twwwscan/arirang
        • Stealth HTTP Scanner
        • Typhon
        • WebInspect
        • AppScan
        • FoundScan Web
      • DOS against Web Servers
      • Web server need to listen to at least a single port in order to provide useful service, thus this makes it a ripe target for simple resource consumption attacks
      • TCP connect flood)
        • Web servers handle HTTP requests; if requests generated in short amount of time, resources will overwhelm (PortF*** tool to test DOS attacks)
        • Countermeasures
          • Adding more resources until other side runs out – higher cost – more processors, memory, bandwidth
          • CISCO rate limit feature – limit the maximum amount of bandwidth allowed from one destination network or interface on a router
        • Specific DOS vulnerabilities
          • Exploit vulnerabilities in web server software
          • IIS WebDAV Propfind DoS attack – padding XML WebDAV request with overlong value that causes the IIS service to restart
          • Countermeasures
            • Get relevant patches
            • Disable IIS WebDAV feature using IISLockDown tool; however disabling this will cause loss of
              • Web folders
              • Publishing to web site using Office2000
              • Monitoring IIS 5.0 server via Digital Dashboard
    • Survey application
      • To generate complete picture of the content, components, function and flow of the web site in order to gather clues about where to find underlying vulnerabilities such as input validation or SQL injection.
      • Documenting application structure
        • Do a simple click-through to get familiar with the web sites; menu; directories
        • List in matrix table for information of
          • Page name, its full path, any authentication?, any SSL?, GET/POST arguments, comments (personal notes)
      • Manually inspect the application
        • Click on every link you can find
        • Record each page’s information in attack matrix
        • Look for
          • Statically (.html files – lack functionality to attack – no input test) and dynamically (.php, .asp, .jsp) generated pages, directory structure, helper files, java classes and applets, HTML comments and content, forms, query strings, bank-end connectivity
          • What authentication method use?
      • Directory structure
        • Try to guess the mindset of the administrator
        • Check on
          • Directories supposed to be secure /admin, /secure, /adm
          • Directories that contain backup files or log files: /.bak, /backup, /back, /log, /logs, /archive, /old
          • Directories for include files: /include, /inc, /global, /local