Ch10 Hacking Web Servers it-slideshares.blogspot.com
description
Transcript of Ch10 Hacking Web Servers it-slideshares.blogspot.com
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 10Chapter 10Hacking Web ServersHacking Web Servers
http://it-slideshares.blogspot.com
22
ObjectivesObjectives
Describe Web applicationsDescribe Web applications
Explain Web application vulnerabilitiesExplain Web application vulnerabilities
Describe the tools used to attack Web Describe the tools used to attack Web serversservers
http://it-slideshares.blogspot.com
33
Client’s Browser
Internet Explorer
or Firefox
Web Server
IIS or Apache
HT
TP
HT
TP
S
http://it-slideshares.blogspot.com
44
Web ServersWeb Servers
The two main Web servers are Apache The two main Web servers are Apache (Open source) and IIS (Microsoft)(Open source) and IIS (Microsoft)
Image from netcraft.com (link Ch 10c)Image from netcraft.com (link Ch 10c) http://it-slideshares.blogspot.com
55
Understanding Web Understanding Web ApplicationsApplications
It is nearly impossible to write a program It is nearly impossible to write a program without bugswithout bugs Some bugs create security vulnerabilitiesSome bugs create security vulnerabilities
Web applications also have bugsWeb applications also have bugs Web applications have a larger user base Web applications have a larger user base
than standalone applicationsthan standalone applications Bugs are a bigger problem for Web Bugs are a bigger problem for Web
applicationsapplications
http://it-slideshares.blogspot.com
66
Web Application ComponentsWeb Application ComponentsStatic Web pagesStatic Web pages Created using HTMLCreated using HTML
Dynamic Web pagesDynamic Web pages Need special componentsNeed special components
<form> tags<form> tags
Common Gateway Interface (CGI) scriptsCommon Gateway Interface (CGI) scripts
Active Server Pages (ASP)Active Server Pages (ASP)
PHPPHP
ColdFusionColdFusion
Scripting languages like JavaScriptScripting languages like JavaScript
ODBC (Open Database connector)ODBC (Open Database connector)
http://it-slideshares.blogspot.com
77
Web FormsWeb Forms
Use the <form> element or tag in an HTML Use the <form> element or tag in an HTML documentdocument Allows customer to submit information to the Allows customer to submit information to the
Web serverWeb server
Web servers process information from a Web servers process information from a Web form by using a Web applicationWeb form by using a Web application
Easy way for attackers to intercept data Easy way for attackers to intercept data that users submit to a Web serverthat users submit to a Web server
http://it-slideshares.blogspot.com
88
Web Forms (continued)Web Forms (continued)
Web form exampleWeb form example<html><body><html><body>
<form><form>
Enter your username:Enter your username:
<input type="text" name="username"><input type="text" name="username">
<br><br>
Enter your password:Enter your password:
<input type="text" name="password"><input type="text" name="password">
</form></body></html></form></body></html>
http://it-slideshares.blogspot.com
99
1010
Client’s Browser
HTML Forms
JavaScript
Web Server
CGI Scripts
HT
TP
HT
TP
S
1111
Common Gateway Interface Common Gateway Interface (CGI)(CGI)
Handles moving data from a Web server Handles moving data from a Web server to a Web browserto a Web browser
The majority of dynamic Web pages are The majority of dynamic Web pages are created with CGI and scripting languagescreated with CGI and scripting languages
Describes how a Web server passes Describes how a Web server passes data to a Web browserdata to a Web browser Relies on Perl or another scripting language Relies on Perl or another scripting language
to create dynamic Web pagesto create dynamic Web pages
1212
CGI LanguagesCGI Languages
CGI programs can be written in different CGI programs can be written in different programming and scripting languagesprogramming and scripting languages C or C++C or C++ PerlPerl Unix shell scriptingUnix shell scripting Visual BasicVisual Basic FORTRANFORTRAN
1313
Common Gateway Interface Common Gateway Interface (CGI) (continued)(CGI) (continued)
CGI exampleCGI example Written in PerlWritten in Perl Hello.plHello.pl Should be placed in the Should be placed in the cgi-bincgi-bin directory on directory on
the Web serverthe Web server#!/usr/bin/perl#!/usr/bin/perl
print "Content-type: text/html\n\n";print "Content-type: text/html\n\n";
print "Hello Security Testers!";print "Hello Security Testers!";
1414
Another CGI ExampleAnother CGI Example
Link Ch 10a: Sam’s Feedback FormLink Ch 10a: Sam’s Feedback Form
Link Ch 10b: CGI Script in Perl that Link Ch 10b: CGI Script in Perl that processes the data from the formprocesses the data from the form
1515
Active Server Pages (ASP)Active Server Pages (ASP)
Microsoft’s server-side script engineMicrosoft’s server-side script engine HTML pages are static—always the sameHTML pages are static—always the same ASP creates HTML pages as needed. They ASP creates HTML pages as needed. They
are not staticare not static
ASP uses scripting languages such as ASP uses scripting languages such as JScript or VBScriptJScript or VBScriptNot all Web servers support ASPNot all Web servers support ASP IIS supports ASPIIS supports ASP Apache doesn’t support ASP as wellApache doesn’t support ASP as well
1616
Active Server Pages (ASP)Active Server Pages (ASP)You can’t see You can’t see the source of the source of an ASP page an ASP page from a from a browserbrowserThis makes it This makes it harder to hack harder to hack into, although into, although not impossiblenot impossible
ASP examples ASP examples at links at links Ch 10d, e, fCh 10d, e, f
1717
Apache Web ServerApache Web Server
Apache is the most popular Web Server Apache is the most popular Web Server programprogram
AdvantagesAdvantages Stable and reliableStable and reliable Works on just about any *NIX and Windows Works on just about any *NIX and Windows
platformplatform It is free and open sourceIt is free and open source
See links Ch 10g, 10hSee links Ch 10g, 10h
1818
Using Scripting LanguagesUsing Scripting Languages
Dynamic Web pages can be developed Dynamic Web pages can be developed using scripting languagesusing scripting languages VBScriptVBScript JavaScriptJavaScript PHPPHP
1919
PHP: Hypertext Processor (PHP)PHP: Hypertext Processor (PHP)
Enables Web developers to create dynamic Web Enables Web developers to create dynamic Web pagespages Similar to ASPSimilar to ASP
Open-source server-side scripting languageOpen-source server-side scripting language Can be embedded in an HTML Web page using PHP Can be embedded in an HTML Web page using PHP
tags <?php and ?>tags <?php and ?>Users cannot see PHP code in their Web browserUsers cannot see PHP code in their Web browser
Used primarily on UNIX systemsUsed primarily on UNIX systems Also supported on Macintosh and Microsoft platformsAlso supported on Macintosh and Microsoft platforms
2020
PHP ExamplePHP Example
<html><head><title>Example</title></head><html><head><title>Example</title></head>
<body><body>
<?php<?php
echo 'Hello, World!';echo 'Hello, World!';
?>?>
</body></html></body></html> See links Ch 10k, 10lSee links Ch 10k, 10l
PHP has known vulnerabilitiesPHP has known vulnerabilities See links Ch 10m, 10nSee links Ch 10m, 10n
PHP is often used with MySQL DatabasesPHP is often used with MySQL Databases
2121
ColdFusionColdFusion
Server-side scripting language used to Server-side scripting language used to develop dynamic Web pagesdevelop dynamic Web pagesCreated by the Allaire CorporationCreated by the Allaire Corporation Purchased by Macromedia, now owned by Purchased by Macromedia, now owned by
Adobe -- ExpensiveAdobe -- Expensive
Uses its own proprietary tags written in Uses its own proprietary tags written in ColdFusion Markup Language (CFML)ColdFusion Markup Language (CFML)CFML Web applications can contain other CFML Web applications can contain other technologies, such as HTML or JavaScripttechnologies, such as HTML or JavaScript
2222
ColdFusion ExampleColdFusion Example
<html><head><title>Ex</title></head><html><head><title>Ex</title></head>
<body><body>
<CFLOCATION <CFLOCATION URL="www.isecom.org/cf/index.htm" URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">ADDTOKEN="NO">
</body></body>
</html></html> See links Ch 10oSee links Ch 10o
2323
ColdFusion VulnerabilitiesColdFusion Vulnerabilities
See links Ch 10p, 10qSee links Ch 10p, 10q
2424
VBScriptVBScript
Visual Basic Script is a scripting language Visual Basic Script is a scripting language developed by Microsoftdeveloped by Microsoft
You can insert VBScript commands into a You can insert VBScript commands into a static HTML page to make it dynamicstatic HTML page to make it dynamic Provides the power of a full programming Provides the power of a full programming
languagelanguage Executed by the client’s browserExecuted by the client’s browser
2525
VBScript ExampleVBScript Example
<html><body><html><body><script type="text/vbscript"><script type="text/vbscript">document.write("<h1>Hello!</h1>")document.write("<h1>Hello!</h1>")document.write("Date Activated: " & document.write("Date Activated: " & date())date())
</script></script></body></html></body></html>
See link Ch 10r – works in IE, but not in FirefoxSee link Ch 10r – works in IE, but not in FirefoxFirefox does not support VBScript (link Ch 10s)Firefox does not support VBScript (link Ch 10s)
2626
VBScript vulnerabilitiesVBScript vulnerabilities
See links Ch 10t, 10uSee links Ch 10t, 10u
2727
JavaScriptJavaScript
Popular scripting languagePopular scripting language
JavaScript also has the power of a JavaScript also has the power of a programming languageprogramming language BranchingBranching LoopingLooping TestingTesting
2828
JavaScript ExampleJavaScript Example<html><head><html><head><script type="text/javascript"><script type="text/javascript">function chastise_user(){function chastise_user(){alert("So, you like breaking rules?")alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus(document.getElementByld("cmdButton").focus()})}
</script></head></script></head><body><h3>Don't click the button!</h3><body><h3>Don't click the button!</h3><form><form><input type="button" value="Don't Click!" <input type="button" value="Don't Click!" name="cmdButton" name="cmdButton" onClick="chastise_user()" />onClick="chastise_user()" />
</form></body></html></form></body></html> See link Ch 10v – works in IE and FirefoxSee link Ch 10v – works in IE and Firefox
http://it-slideshares.blogspot.com
2929
JavaScript VulnerabilitiesJavaScript Vulnerabilities
See link Ch 10wSee link Ch 10w
3030Client’s Browser
HT
TP
or HT
TP
S
Web Server
Apache or IIS
HTML Forms
CGI Scripts
Database
SQL Server or
Oracle or
MySQL
ODBC or
OLE DB
Or ADO
3131
Connecting to DatabasesConnecting to Databases
Web pages can display information stored Web pages can display information stored on databaseson databases
There are several technologies used to There are several technologies used to connect databases with Web applicationsconnect databases with Web applications Technology depends on the OS usedTechnology depends on the OS used
ODBCODBC
OLE DBOLE DB
ADOADO Theory is the sameTheory is the same
3232
Open Database Connectivity Open Database Connectivity (ODBC)(ODBC)
Standard database access method developed Standard database access method developed by the SQL Access Groupby the SQL Access Group
ODBC interface allows an application to ODBC interface allows an application to accessaccess Data stored in a database management system Data stored in a database management system
(DBMS)(DBMS) Can use Oracle, SQL, or any DBMS that Can use Oracle, SQL, or any DBMS that
understands and can issue ODBC commandsunderstands and can issue ODBC commands
Interoperability among back-end DBMS is a Interoperability among back-end DBMS is a key feature of the ODBC interfacekey feature of the ODBC interface
3333
Open Database Connectivity Open Database Connectivity (ODBC) (continued)(ODBC) (continued)
ODBC definesODBC defines Standardized representation of data typesStandardized representation of data types A library of ODBC functionsA library of ODBC functions Standard methods of connecting to and Standard methods of connecting to and
logging on to a DBMSlogging on to a DBMS
3434
OLE DB and ADOOLE DB and ADO
Object Linking and Embedding Database Object Linking and Embedding Database (OLE DB) and(OLE DB) and
ActiveX Data Objects (ADO)ActiveX Data Objects (ADO) These two more modern, complex These two more modern, complex
technologies replace ODBC and make technologies replace ODBC and make up"Microsoft’s Universal Data Access“up"Microsoft’s Universal Data Access“
See link Ch 10x See link Ch 10x
3535
Understanding Web Application Understanding Web Application VulnerabilitiesVulnerabilities
Many platforms and programming Many platforms and programming languages can be used to design a Web languages can be used to design a Web sitesite
Application security is as important as Application security is as important as network securitynetwork security
3636
Attackers controlling a Web server Attackers controlling a Web server cancan
Deface the Web siteDeface the Web site Destroy or steal company’s dataDestroy or steal company’s data Gain control of user accountsGain control of user accounts Perform secondary attacks from the Web sitePerform secondary attacks from the Web site Gain root access to other applications or Gain root access to other applications or
serversservers
3737
Open Web Application Security Open Web Application Security Project (OWASP)Project (OWASP)
Open, not-for-profit organization dedicated to Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web finding and fighting vulnerabilities in Web applicationsapplications
Publishes the Ten Most Critical Web Publishes the Ten Most Critical Web Application Security VulnerabilitiesApplication Security Vulnerabilities
3838
Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities
Unvalidated parametersUnvalidated parameters HTTP requests from browsers that are not HTTP requests from browsers that are not
validated by the Web servervalidated by the Web server Inserted form fields, cookies, headers, etc. Inserted form fields, cookies, headers, etc.
(See link Ch 10y)(See link Ch 10y)
Broken access controlBroken access control Developers implement access controls but fail Developers implement access controls but fail
to test them properlyto test them properlyFor example, letting an authenticated user read For example, letting an authenticated user read another user’s filesanother user’s files
3939
Top-10 Web application Top-10 Web application vulnerabilities (continued)vulnerabilities (continued)
Broken account and session managementBroken account and session management Enables attackers to compromise passwords or Enables attackers to compromise passwords or
session cookies to gain access to accountssession cookies to gain access to accounts
Cross-site scripting (XSS) flawsCross-site scripting (XSS) flaws Attackers inject code into a web page, such as a Attackers inject code into a web page, such as a
forum or guestbookforum or guestbook When others user view the page, confidential When others user view the page, confidential
information is stolen information is stolen See link Ch 10zaSee link Ch 10za
Buffer overflowsBuffer overflows It is possible for an attacker to use C or C++ code that It is possible for an attacker to use C or C++ code that
includes a buffer overflowincludes a buffer overflow
4040
Top-10 Web application Top-10 Web application vulnerabilities (continued)vulnerabilities (continued)
Command injection flawsCommand injection flaws An attacker can embed malicious code and run a An attacker can embed malicious code and run a
program on the database serverprogram on the database server Example: SQL InjectionExample: SQL Injection
Error-handling problemsError-handling problems Error messages may reveal information that an Error messages may reveal information that an
attacker can useattacker can use
Insecure use of cryptographyInsecure use of cryptography Storing keys, certificates, and passwords on a Web Storing keys, certificates, and passwords on a Web
server can be dangerousserver can be dangerous
4141
Top-10 Web application Top-10 Web application vulnerabilities (continued)vulnerabilities (continued)
Remote administration flawsRemote administration flaws Attacker can gain access to the Web server Attacker can gain access to the Web server
through the remote administration interfacethrough the remote administration interface
Web and application server Web and application server misconfigurationmisconfiguration Any Web server software out of the box is Any Web server software out of the box is
usually vulnerable to attackusually vulnerable to attackDefault accounts and passwordsDefault accounts and passwords
Overly informative error messagesOverly informative error messages
4242
Application Vulnerabilities Application Vulnerabilities Countermeasures (continued)Countermeasures (continued)WebGoat projectWebGoat project Helps security testers learn how to perform Helps security testers learn how to perform
vulnerabilities testing on Web applicationsvulnerabilities testing on Web applications Developed by OWASPDeveloped by OWASP
It’s like HackThisSite without the helpful It’s like HackThisSite without the helpful forumforum Tutorials for WebGoat are being made, but Tutorials for WebGoat are being made, but
they aren’t yet readythey aren’t yet ready
4343
Assessing Web ApplicationsAssessing Web Applications
Issues to considerIssues to consider Dynamic Web pagesDynamic Web pages Connection to a backend database serverConnection to a backend database server User authentication User authentication What platform was used? What platform was used?
http://it-slideshares.blogspot.com
4444
Does the Web Application Use Does the Web Application Use Dynamic Web Pages?Dynamic Web Pages?
Static Web pages do not create a secure Static Web pages do not create a secure environmentenvironment
IIS attack example: Directory TraversalIIS attack example: Directory Traversal Adding ..\ to a URL refers to a directory above Adding ..\ to a URL refers to a directory above
the Web page directorythe Web page directory Early versions of IIS filtered out \, but not Early versions of IIS filtered out \, but not
%c1%9c, which is a Unicode version of the %c1%9c, which is a Unicode version of the same charactersame character
See link Ch 10 zhSee link Ch 10 zh
4545
Connection to a Backend Connection to a Backend Database ServerDatabase Server
Security testers should check for the Security testers should check for the possibility of SQL injection being used to possibility of SQL injection being used to attack the systemattack the system
SQL injection involves the attacker SQL injection involves the attacker supplying SQL commands on a Web supplying SQL commands on a Web application fieldapplication field
4646
SQL Injection ExampleSQL Injection Example
HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:
SELECT * FROM customerSELECT * FROM customerWHERE username = ‘name' AND password = ‘pw'WHERE username = ‘name' AND password = ‘pw'
If a hacker enters a name of If a hacker enters a name of ’ ’ OR 1=1 --OR 1=1 --
The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = ‘’ OR 1=1 --' AND password WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘= ‘pw‘
Which is always true, and returns all the recordsWhich is always true, and returns all the records
4747
HackThisSiteHackThisSite
4848
Connection to a Backend Connection to a Backend Database ServerDatabase Server
Basic testing should look forBasic testing should look for Whether you can enter text with punctuation Whether you can enter text with punctuation
marksmarks Whether you can enter a single quotation Whether you can enter a single quotation
mark followed by any SQL keywordsmark followed by any SQL keywords Whether you can get any sort of database Whether you can get any sort of database
error when attempting to inject SQLerror when attempting to inject SQL
4949
User AuthenticationUser Authentication
Many Web applications require another Many Web applications require another server to authenticate usersserver to authenticate users
Examine how information is passed Examine how information is passed between the two serversbetween the two servers Encrypted channelsEncrypted channels
Verify that logon and password information Verify that logon and password information is stored on secure placesis stored on secure places
Authentication servers introduce a second Authentication servers introduce a second targettarget
5050
What Platform Was Used?What Platform Was Used?
Popular platforms include:Popular platforms include: IIS with ASP and SQL Server (Microsoft)IIS with ASP and SQL Server (Microsoft) Linux, Apache, MySQL, and PHP (LAMP)Linux, Apache, MySQL, and PHP (LAMP)
Footprinting is used to find out the platformFootprinting is used to find out the platform The more you know about a system the The more you know about a system the
easier it is to gather information about its easier it is to gather information about its vulnerabilitiesvulnerabilities
5151
Tools of Web Attackers and Tools of Web Attackers and Security TestersSecurity Testers
Choose the right tools for the jobChoose the right tools for the job
Attackers look for tools that enable them to Attackers look for tools that enable them to attack the systemattack the system They choose their tools based on the They choose their tools based on the
vulnerabilities found on a target system or vulnerabilities found on a target system or applicationapplication
5252
Web ToolsWeb Tools
Cgiscan.c: CGI scanning toolCgiscan.c: CGI scanning tool Written in C in 1999 by Bronc BusterWritten in C in 1999 by Bronc Buster Tool for searching Web sites for CGI scripts Tool for searching Web sites for CGI scripts
that can be exploitedthat can be exploited One of the best tools for scanning the Web for One of the best tools for scanning the Web for
systems with CGI vulnerabilitiessystems with CGI vulnerabilitiesSee link Ch 10ziSee link Ch 10zi
5353
cgiscan and WebGoatcgiscan and WebGoat
5454
Web Tools (continued)Web Tools (continued)
Phfscan.cPhfscan.c Written to scan Web sites looking for hosts Written to scan Web sites looking for hosts
that could be exploited by the PHF bugthat could be exploited by the PHF bug The PHF bug enables an attacker to The PHF bug enables an attacker to
download the victim’s /etc/passwd filedownload the victim’s /etc/passwd file It also allows attackers to run programs on the It also allows attackers to run programs on the
victim’s Web server by using a particular URLvictim’s Web server by using a particular URLSee links Ch 10zj, 10 zkSee links Ch 10zj, 10 zk
http://it-slideshares.blogspot.com
5555
Web Tools (continued)Web Tools (continued)
Wfetch: GUI tool from MicrosoftWfetch: GUI tool from Microsoft Displays information that is not normally shown in Displays information that is not normally shown in
a browser, such as HTTP headersa browser, such as HTTP headers It also attempts authentication usingIt also attempts authentication using
Multiple HTTP methodsMultiple HTTP methods
Configuration of host name and TCP portConfiguration of host name and TCP port
HTTP 1.0 and HTTP 1.1 supportHTTP 1.0 and HTTP 1.1 support
Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication typesauthentication types
Multiple connection typesMultiple connection types
Proxy supportProxy support
Client-certificate supportClient-certificate support See link Ch 10zlSee link Ch 10zl
http://it-slideshares.blogspot.com
5656http://it-slideshares.blogspot.com