Web application

677 views

Published on

Web Application
by Accounting 31 @Intrachai Commercial College

  • Be the first to comment

  • Be the first to like this

Web application

  1. 1. Web Application
  2. 2. Web Application HTTP(s) agentWeb Application ApplicationServerWeb ServerApplication Server Web ApplicationDatabase Server Web Application
  3. 3. 1 Web Architecture
  4. 4. Firewall, Load Balancer, Reverse Proxy Server, CacheSystem web client database sever LayerHTTP Client / User Cross-Site Scripting Spoofing Javascript Injection Browser
  5. 5. LayerTransport Layer HTTP(s) Passive Monitoring) Man-in- the-Middle Attack) Session (Session Hijack)Firewall SSL SessionWeb Server Buffer Overflow Format String Directory Traversal Default Accounts Default Applications
  6. 6. LayerWeb Applications Meracharacters Null Characters Buffer OverflowFirewall Internet Network FirewallDatabase Direct SQL Commands SQL Injection Query Restricted Database Database Exploit
  7. 7. MS IIS
  8. 8. Hidden Field ManipulationCookie PoisoningBackdoors and debug optionsApplication buffer overflowsStealth commanding3rd party misconfigurationsKnown vulnerabilitiesParameter tempering
  9. 9. Cross site scriptingForceful browsingHacking over SSLSourcecode DisclosureWeb Server Architecture AttackSQL InjectionJava Script Injection
  10. 10. Hidden Field hidden fieldhidden fieldView Source) Tag HIDDEN Application
  11. 11. 2 Hidden Field
  12. 12. Cookie Poisoning Cookie Sessioncookie Session ID cookie
  13. 13. Back Door & Bebug OptionsDeveloping Environment debug Debug Debug Debug back door
  14. 14. disable debug modeback door
  15. 15. Application Bugger OverflowBuffer Overflow text box
  16. 16. Stealth Commanding SQL Command Command SQL Command
  17. 17. 3th Party Misconfiguration Defaultpassword
  18. 18. Know Vulnerabilities Microsoft IIS Patch patch) patchpatch
  19. 19. Microsoft IIS
  20. 20. Parameter Tempering
  21. 21. Cross Site Script cross site scriptscript script sends anemail javascript
  22. 22. 3 Cross Site Script
  23. 23. Forceful Browsing Default file
  24. 24. Hacking Over SSLSSL content SSL SSL
  25. 25. Source Code Disclosures Source Code Disclosure configuration file Source Code Disclosures WebLogic / WebSpere JSPJHTML jsp” URL
  26. 26. Source Code DisclosuresMicrosoft IIS HTR” ASA ASP URLhttp://10.0.0.1/global.asa+.htr URL htr ISM.DLLURL ISM.DLLMicrosoft IIS showcode.aspshowcode.asp bundled IISWindows NT Option Pack 4.0URL
  27. 27. Web Server Architecture Attack bypass built-in procedure
  28. 28. handler html handler html cgihandler cgi default handler handler default handler cgi html jsphandler html java compiler java run-timehandler forcing Sun Java Web Server URL
  29. 29. http://10.0.0.2/servlet/com.sun.server.http.pagecompile.jsp.runtime.JspServlet/path/to/file.html servlet path/servlet/ PageCompile handler (Servlet)handle path handle java run-time root
  30. 30. SQL Poisoning & Injections sql statement sql statement DBMS SQL Query) sql statement databaseDim sql_con , result, sql_qryConst CONNECT_STRING =“Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa;PWD=xyzzy”sql_qry = “SELECT * FROM PRODUCT WHERE ID =”
  31. 31. Set objCon = Server.CreateObject(“ADODB.Connection”) ObjCon.Open CONNECT_STRING Set objRS – objCon.Execute(strSQL);http://10.0.0.3/showtable.asp?ID=3+OR+1=1
  32. 32. Query StatementSELECT * FROM PRODUCT WHERE ID=3OR 1=1 PRODUCThttp://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT SQL statement
  33. 33. http://10.0.0.3/showtable.asp?ID=3%01EXEC+master..xp_cmdshell+’copy+winntsystem32cmd.exe+inetpubscripts’Copy winntsystem32winntcmd.exe inetpubscripts SQLInjection Inject Backdoor Inject
  34. 34. Java Script Injection Javascript InjectionJavascript Java ScriptInjection Session Hidden Field Session Invalid Javascript HTML Javascript Cookiesjavascript:alert(document.cookie)
  35. 35. System Scanner and Security InfrastructureSoftwareSecure Coding
  36. 36. System Scanner and Securiry Infrastructure Software System Scanner permission ScannerWhisker , Nikto , Stealth , Twwwscan AppScan
  37. 37. reject AppShield
  38. 38. Secure Codinginput & output validationSSLHTML forms
  39. 39. Input & Output validation NEVER TRUST CLIENTSIDE DATA) Client Side Script JavaScript , VBScript , JavaApplets , Flash , Active X , CSS XML/XSL script script
  40. 40. Sanity Checking YES NO drop system call directorytraversal NULL character HTML HTML
  41. 41. HTMLtag webmail,message board chat HTML Allow List HTML tag drop HTML tag tag HTML <APPLET> , <BASE> , <BODY> ,<EMBED> , <FRAME> , <FRAMESET> , <HTML> , <IFRAME>,<IMG> , <LAYER> , <META> , <OBJECT> , <P> , <SCRIPT> ,<STYLE> HTML tag attributes STYLE> ,<SRC> , <HREF> , < TYPE> HTML
  42. 42. SSL HTTP HTTP Plaintext SnifferHTTP HTTP SSL(Secure Socket Layer) Web Client Web Server SSL transport Client & Server Authentication
  43. 43. SSL SSLWeb Browser Public Key Server Browser Server Server SSL SSL Server Certificate) Public Key)
  44. 44. HTML forms hidden form element hidden hidden element password elementSSL plain text password element methodHTTP/GET HTTP/POST MaxSize Attribute (<input MaxSize=”##”>)
  45. 45. Cookies Cookies Cookiepersistent : Cookie non-persistent : Cookie Cookies User Authentication State Management Saving user preference Cookies• Cookies Plaintext
  46. 46. • restrictive path Cookies• Authentication valid• Cookies• Token ID• Cookies Timeout Cookies• Authentication Business Intranet authentication• Authentication header User-Agent , Accept-Language , Etc.
  47. 47. HTTP REFERER Header script attack script attack HTTP REFERERheader HTTPREFERER
  48. 48. POST & GET method method GET ProxyServer, Firewall , Web Servers log POST POST method client side script POST method GET
  49. 49. logout logout Cookies Cookiessession session Cookies
  50. 50. Error Handing Mechanism Error Handling Error Description ErrorDescriptionError Desciption Error DesciptionUsername PasswordPassword
  51. 51. The End

×