Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ch10 Hacking Web Servers


Published on

Ch 10: Hacking Web Servers

  • Be the first to comment

  • Be the first to like this

Ch10 Hacking Web Servers

  1. 1. Hands-On EthicalHacking and Network Defense Chapter 10 Hacking Web Servers
  2. 2. ObjectivesDescribe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Webservers 2
  3. 3. Web Server IIS or Apache HTTPSHTTP Client’s Browser Internet Explorer or Firefox 3
  4. 4. Web ServersThe two main Web servers are Apache(Open source) and IIS (Microsoft)Image from (link Ch 10c) 4
  5. 5. Understanding Web ApplicationsIt is nearly impossible to write a programwithout bugs Some bugs create security vulnerabilitiesWeb applications also have bugs Web applications have a larger user base than standalone applications Bugs are a bigger problem for Web applications 5
  6. 6. Web Application ComponentsStatic Web pages Created using HTMLDynamic Web pages Need special components <form> tags Common Gateway Interface (CGI) scripts Active Server Pages (ASP) PHP ColdFusion Scripting languages like JavaScript ODBC (Open Database connector) 6
  7. 7. Web FormsUse the <form> element or tag in an HTMLdocument Allows customer to submit information to the Web serverWeb servers process information from aWeb form by using a Web applicationEasy way for attackers to intercept datathat users submit to a Web server 7
  8. 8. Web Forms (continued) Web form example<html><body><form>Enter your username:<input type="text" name="username"><br>Enter your password:<input type="text" name="password"></form></body></html> 8
  9. 9. 9
  10. 10. Web Server CGI Scripts HTTPSHTTP Client’s Browser HTML Forms JavaScript 10
  11. 11. Common Gateway Interface (CGI)Handles moving data from a Web serverto a Web browserThe majority of dynamic Web pages arecreated with CGI and scripting languagesDescribes how a Web server passesdata to a Web browser Relies on Perl or another scripting language to create dynamic Web pages 11
  12. 12. CGI LanguagesCGI programs can be written in differentprogramming and scripting languages C or C++ Perl Unix shell scripting Visual Basic FORTRAN 12
  13. 13. Common Gateway Interface (CGI) (continued)CGI example Written in Perl Should be placed in the cgi-bin directory on the Web server#!/usr/bin/perlprint "Content-type: text/htmlnn";print "Hello Security Testers!"; 13
  14. 14. Another CGI ExampleLink Ch 10a: Sam’s Feedback FormLink Ch 10b: CGI Script in Perl thatprocesses the data from the form 14
  15. 15. Active Server Pages (ASP)Microsoft’s server-side script engine HTML pages are static—always the same ASP creates HTML pages as needed. They are not staticASP uses scripting languages such asJScript or VBScriptNot all Web servers support ASP IIS supports ASP Apache doesn’t support ASP as well 15
  16. 16. Active Server Pages (ASP)You can’t seethe source ofan ASP pagefrom abrowserThis makes itharder to hackinto, althoughnot impossibleASP examplesat linksCh 10d, e, f 16
  17. 17. Apache Web ServerApache is the most popular Web ServerprogramAdvantages Stable and reliable Works on just about any *NIX and Windows platform It is free and open source See links Ch 10g, 10h 17
  18. 18. Using Scripting LanguagesDynamic Web pages can be developedusing scripting languages VBScript JavaScript PHP 18
  19. 19. PHP: Hypertext Processor (PHP) Enables Web developers to create dynamic Web pages  Similar to ASP Open-source server-side scripting language  Can be embedded in an HTML Web page using PHP tags <?php and ?> Users cannot see PHP code in their Web browser Used primarily on UNIX systems  Also supported on Macintosh and Microsoft platforms 19
  20. 20. PHP Example<html><head><title>Example</title></head><body><?phpecho Hello, World!;?></body></html>  See links Ch 10k, 10l PHP has known vulnerabilities  See links Ch 10m, 10n PHP is often used with MySQL Databases 20
  21. 21. ColdFusionServer-side scripting language used todevelop dynamic Web pagesCreated by the Allaire Corporation Purchased by Macromedia, now owned by Adobe -- ExpensiveUses its own proprietary tags written inColdFusion Markup Language (CFML)CFML Web applications can contain othertechnologies, such as HTML or JavaScript 21
  22. 22. ColdFusion Example<html><head><title>Ex</title></head><body><CFLOCATION URL="" ADDTOKEN="NO"></body></html>  See links Ch 10o 22
  23. 23. ColdFusion VulnerabilitiesSee links Ch 10p, 10q 23
  24. 24. VBScriptVisual Basic Script is a scripting languagedeveloped by MicrosoftYou can insert VBScript commands into astatic HTML page to make it dynamic Provides the power of a full programming language Executed by the client’s browser 24
  25. 25. VBScript Example<html><body><script type="text/vbscript">document.write("<h1>Hello!</h1>")document.write("Date Activated: " & date())</script></body></html> See link Ch 10r – works in IE, but not in Firefox Firefox does not support VBScript (link Ch 10s) 25
  26. 26. VBScript vulnerabilities See links Ch 10t, 10u 26
  27. 27. JavaScriptPopular scripting languageJavaScript also has the power of aprogramming language Branching Looping Testing 27
  28. 28. JavaScript Example<html><head><script type="text/javascript">function chastise_user(){alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus( )}</script></head><body><h3>Dont click the button!</h3><form><input type="button" value="Dont Click!" name="cmdButton" onClick="chastise_user()" /></form></body></html>  See link Ch 10v – works in IE and Firefox 28
  29. 29. JavaScript VulnerabilitiesSee link Ch 10w 29
  30. 30. ODBC or Web Server OLE DB DatabaseApache or IIS Or ADO SQL Server orHTML Forms Oracle orCGI Scripts MySQL HTTP or HTTPS Client’s Browser 30
  31. 31. Connecting to DatabasesWeb pages can display information storedon databasesThere are several technologies used toconnect databases with Web applications Technology depends on the OS used ODBC OLE DB ADO Theory is the same 31
  32. 32. Open Database Connectivity (ODBC)Standard database access methoddeveloped by the SQL Access GroupODBC interface allows an application toaccess Data stored in a database management system (DBMS) Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commandsInteroperability among back-end DBMS isa key feature of the ODBC interface 32
  33. 33. Open Database Connectivity (ODBC) (continued)ODBC defines Standardized representation of data types A library of ODBC functions Standard methods of connecting to and logging on to a DBMS 33
  34. 34. OLE DB and ADOObject Linking and Embedding Database(OLE DB) andActiveX Data Objects (ADO) These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal Data Access“ See link Ch 10x 34
  35. 35. Understanding Web Application VulnerabilitiesMany platforms and programminglanguages can be used to design a WebsiteApplication security is as important asnetwork security 35
  36. 36. Attackers controlling a Web server can  Deface the Web site  Destroy or steal company’s data  Gain control of user accounts  Perform secondary attacks from the Web site  Gain root access to other applications or servers 36
  37. 37. Open Web Application Security Project (OWASP) Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applications Publishes the Ten Most Critical Web Application Security Vulnerabilities 37
  38. 38. Top-10 Web application vulnerabilitiesUnvalidated parameters HTTP requests from browsers that are not validated by the Web server Inserted form fields, cookies, headers, etc. (See link Ch 10y)Broken access control Developers implement access controls but fail to test them properly For example, letting an authenticated user read another user’s files 38
  39. 39. Top-10 Web application vulnerabilities (continued)Broken account and session management Enables attackers to compromise passwords or session cookies to gain access to accountsCross-site scripting (XSS) flaws Attackers inject code into a web page, such as a forum or guestbook When others user view the page, confidential information is stolen See link Ch 10zaBuffer overflows It is possible for an attacker to use C or C++ code that includes a buffer overflow 39
  40. 40. Top-10 Web application vulnerabilities (continued)Command injection flaws An attacker can embed malicious code and run a program on the database server Example: SQL InjectionError-handling problems Error messages may reveal information that an attacker can useInsecure use of cryptography Storing keys, certificates, and passwords on a Web server can be dangerous 40
  41. 41. Top-10 Web application vulnerabilities (continued)Remote administration flaws Attacker can gain access to the Web server through the remote administration interfaceWeb and application servermisconfiguration Any Web server software out of the box is usually vulnerable to attack Default accounts and passwords Overly informative error messages 41
  42. 42. Application VulnerabilitiesCountermeasures (continued)WebGoat project Helps security testers learn how to perform vulnerabilities testing on Web applications Developed by OWASPIt’s like HackThisSite without the helpfulforum Tutorials for WebGoat are being made, but they aren’t yet ready 42
  43. 43. Assessing Web ApplicationsIssues to consider Dynamic Web pages Connection to a backend database server User authentication What platform was used? 43
  44. 44. Does the Web Application Use Dynamic Web Pages?Static Web pages do not create a secureenvironmentIIS attack example: Directory Traversal Adding .. to a URL refers to a directory above the Web page directory Early versions of IIS filtered out , but not %c1%9c, which is a Unicode version of the same character See link Ch 10 zh 44
  45. 45. Connection to a Backend Database ServerSecurity testers should check for thepossibility of SQL injection being used toattack the systemSQL injection involves the attackersupplying SQL commands on a Webapplication field 45
  46. 46. SQL Injection ExampleHTML form collects name and pwSQL then uses those fields: SELECT * FROM customer WHERE username = ‘name AND password = ‘pwIf a hacker enters a name of’ OR 1=1 --The SQL becomes: SELECT * FROM customer WHERE username = ‘’ OR 1=1 -- AND password = ‘pw‘Which is always true, and returns all the records 46
  47. 47. HackThisSite 47
  48. 48. Connection to a Backend Database ServerBasic testing should look for Whether you can enter text with punctuation marks Whether you can enter a single quotation mark followed by any SQL keywords Whether you can get any sort of database error when attempting to inject SQL 48
  49. 49. User AuthenticationMany Web applications require anotherserver to authenticate usersExamine how information is passedbetween the two servers Encrypted channelsVerify that logon and passwordinformation is stored on secure placesAuthentication servers introduce a secondtarget 49
  50. 50. What Platform Was Used?Popular platforms include: IIS with ASP and SQL Server (Microsoft) Linux, Apache, MySQL, and PHP (LAMP)Footprinting is used to find out theplatform The more you know about a system the easier it is to gather information about its vulnerabilities 50
  51. 51. Tools of Web Attackers and Security TestersChoose the right tools for the jobAttackers look for tools that enable themto attack the system They choose their tools based on the vulnerabilities found on a target system or application 51
  52. 52. Web ToolsCgiscan.c: CGI scanning tool Written in C in 1999 by Bronc Buster Tool for searching Web sites for CGI scripts that can be exploited One of the best tools for scanning the Web for systems with CGI vulnerabilities See link Ch 10zi 52
  53. 53. cgiscan and WebGoat 53
  54. 54. Web Tools (continued)Phfscan.c Written to scan Web sites looking for hosts that could be exploited by the PHF bug The PHF bug enables an attacker to download the victim’s /etc/passwd file It also allows attackers to run programs on the victim’s Web server by using a particular URL See links Ch 10zj, 10 zk 54
  55. 55. Web Tools (continued)Wfetch: GUI tool from Microsoft Displays information that is not normally shown in a browser, such as HTTP headers It also attempts authentication using Multiple HTTP methods Configuration of host name and TCP port HTTP 1.0 and HTTP 1.1 support Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types Multiple connection types Proxy support Client-certificate support  See link Ch 10zl 55
  56. 56. 56