Ch10 Hacking Web Servers it-slideshares.blogspot.com

Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 10Chapter 10Hacking Web ServersHacking Web Servers

http://it-slideshares.blogspot.com

22

ObjectivesObjectives

Describe Web applicationsDescribe Web applications

Explain Web application vulnerabilitiesExplain Web application vulnerabilities

Describe the tools used to attack Web Describe the tools used to attack Web serversservers


33

Client’s Browser

Internet Explorer

or Firefox

Web Server

IIS or Apache

HT

TP

HT

TP

S


44

Web ServersWeb Servers

The two main Web servers are Apache The two main Web servers are Apache (Open source) and IIS (Microsoft)(Open source) and IIS (Microsoft)

Image from netcraft.com (link Ch 10c)Image from netcraft.com (link Ch 10c) http://it-slideshares.blogspot.com

55

Understanding Web Understanding Web ApplicationsApplications

It is nearly impossible to write a program It is nearly impossible to write a program without bugswithout bugs Some bugs create security vulnerabilitiesSome bugs create security vulnerabilities

Web applications also have bugsWeb applications also have bugs Web applications have a larger user base Web applications have a larger user base

than standalone applicationsthan standalone applications Bugs are a bigger problem for Web Bugs are a bigger problem for Web

applicationsapplications


66

Web Application ComponentsWeb Application ComponentsStatic Web pagesStatic Web pages Created using HTMLCreated using HTML

Dynamic Web pagesDynamic Web pages Need special componentsNeed special components

<form> tags<form> tags

Common Gateway Interface (CGI) scriptsCommon Gateway Interface (CGI) scripts

Active Server Pages (ASP)Active Server Pages (ASP)

PHPPHP

ColdFusionColdFusion

Scripting languages like JavaScriptScripting languages like JavaScript

ODBC (Open Database connector)ODBC (Open Database connector)


77

Web FormsWeb Forms

Use the <form> element or tag in an HTML Use the <form> element or tag in an HTML documentdocument Allows customer to submit information to the Allows customer to submit information to the

Web serverWeb server

Web servers process information from a Web servers process information from a Web form by using a Web applicationWeb form by using a Web application

Easy way for attackers to intercept data Easy way for attackers to intercept data that users submit to a Web serverthat users submit to a Web server


88

Web Forms (continued)Web Forms (continued)

Web form exampleWeb form example<html><body><html><body>

<form><form>

Enter your username:Enter your username:

<input type="text" name="username"><input type="text" name="username">

<br><br>

Enter your password:Enter your password:

<input type="text" name="password"><input type="text" name="password">

</form></body></html></form></body></html>


1010

Client’s Browser

HTML Forms

JavaScript

Web Server

CGI Scripts

HT

TP

HT

TP

S

1111

Common Gateway Interface Common Gateway Interface (CGI)(CGI)

Handles moving data from a Web server Handles moving data from a Web server to a Web browserto a Web browser

The majority of dynamic Web pages are The majority of dynamic Web pages are created with CGI and scripting languagescreated with CGI and scripting languages

Describes how a Web server passes Describes how a Web server passes data to a Web browserdata to a Web browser Relies on Perl or another scripting language Relies on Perl or another scripting language

to create dynamic Web pagesto create dynamic Web pages

1212

CGI LanguagesCGI Languages

CGI programs can be written in different CGI programs can be written in different programming and scripting languagesprogramming and scripting languages C or C++C or C++ PerlPerl Unix shell scriptingUnix shell scripting Visual BasicVisual Basic FORTRANFORTRAN

1313

Common Gateway Interface Common Gateway Interface (CGI) (continued)(CGI) (continued)

CGI exampleCGI example Written in PerlWritten in Perl Hello.plHello.pl Should be placed in the Should be placed in the cgi-bincgi-bin directory on directory on

the Web serverthe Web server#!/usr/bin/perl#!/usr/bin/perl

print "Content-type: text/html\n\n";print "Content-type: text/html\n\n";

print "Hello Security Testers!";print "Hello Security Testers!";

1414

Another CGI ExampleAnother CGI Example

Link Ch 10a: Sam’s Feedback FormLink Ch 10a: Sam’s Feedback Form

Link Ch 10b: CGI Script in Perl that Link Ch 10b: CGI Script in Perl that processes the data from the formprocesses the data from the form

1515

Active Server Pages (ASP)Active Server Pages (ASP)

Microsoft’s server-side script engineMicrosoft’s server-side script engine HTML pages are static—always the sameHTML pages are static—always the same ASP creates HTML pages as needed. They ASP creates HTML pages as needed. They

are not staticare not static

ASP uses scripting languages such as ASP uses scripting languages such as JScript or VBScriptJScript or VBScriptNot all Web servers support ASPNot all Web servers support ASP IIS supports ASPIIS supports ASP Apache doesn’t support ASP as wellApache doesn’t support ASP as well

1616

Active Server Pages (ASP)Active Server Pages (ASP)You can’t see You can’t see the source of the source of an ASP page an ASP page from a from a browserbrowserThis makes it This makes it harder to hack harder to hack into, although into, although not impossiblenot impossible

ASP examples ASP examples at links at links Ch 10d, e, fCh 10d, e, f

1717

Apache Web ServerApache Web Server

Apache is the most popular Web Server Apache is the most popular Web Server programprogram

AdvantagesAdvantages Stable and reliableStable and reliable Works on just about any *NIX and Windows Works on just about any *NIX and Windows

platformplatform It is free and open sourceIt is free and open source

See links Ch 10g, 10hSee links Ch 10g, 10h

1818

Using Scripting LanguagesUsing Scripting Languages

Dynamic Web pages can be developed Dynamic Web pages can be developed using scripting languagesusing scripting languages VBScriptVBScript JavaScriptJavaScript PHPPHP

1919

PHP: Hypertext Processor (PHP)PHP: Hypertext Processor (PHP)

Enables Web developers to create dynamic Web Enables Web developers to create dynamic Web pagespages Similar to ASPSimilar to ASP

Open-source server-side scripting languageOpen-source server-side scripting language Can be embedded in an HTML Web page using PHP Can be embedded in an HTML Web page using PHP

tags <?php and ?>tags <?php and ?>Users cannot see PHP code in their Web browserUsers cannot see PHP code in their Web browser

Used primarily on UNIX systemsUsed primarily on UNIX systems Also supported on Macintosh and Microsoft platformsAlso supported on Macintosh and Microsoft platforms

2020

PHP ExamplePHP Example

<html><head><title>Example</title></head><html><head><title>Example</title></head>

<body><body>

<?php<?php

echo 'Hello, World!';echo 'Hello, World!';

?>?>

</body></html></body></html> See links Ch 10k, 10lSee links Ch 10k, 10l

PHP has known vulnerabilitiesPHP has known vulnerabilities See links Ch 10m, 10nSee links Ch 10m, 10n

PHP is often used with MySQL DatabasesPHP is often used with MySQL Databases

2121

ColdFusionColdFusion

Server-side scripting language used to Server-side scripting language used to develop dynamic Web pagesdevelop dynamic Web pagesCreated by the Allaire CorporationCreated by the Allaire Corporation Purchased by Macromedia, now owned by Purchased by Macromedia, now owned by

Adobe -- ExpensiveAdobe -- Expensive

Uses its own proprietary tags written in Uses its own proprietary tags written in ColdFusion Markup Language (CFML)ColdFusion Markup Language (CFML)CFML Web applications can contain other CFML Web applications can contain other technologies, such as HTML or JavaScripttechnologies, such as HTML or JavaScript

2222

ColdFusion ExampleColdFusion Example

<html><head><title>Ex</title></head><html><head><title>Ex</title></head>

<body><body>

<CFLOCATION <CFLOCATION URL="www.isecom.org/cf/index.htm" URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">ADDTOKEN="NO">

</body></body>

</html></html> See links Ch 10oSee links Ch 10o

2323

ColdFusion VulnerabilitiesColdFusion Vulnerabilities

See links Ch 10p, 10qSee links Ch 10p, 10q

2424

VBScriptVBScript

Visual Basic Script is a scripting language Visual Basic Script is a scripting language developed by Microsoftdeveloped by Microsoft

You can insert VBScript commands into a You can insert VBScript commands into a static HTML page to make it dynamicstatic HTML page to make it dynamic Provides the power of a full programming Provides the power of a full programming

languagelanguage Executed by the client’s browserExecuted by the client’s browser

2525

VBScript ExampleVBScript Example

<html><body><html><body><script type="text/vbscript"><script type="text/vbscript">document.write("<h1>Hello!</h1>")document.write("<h1>Hello!</h1>")document.write("Date Activated: " & document.write("Date Activated: " & date())date())

</script></script></body></html></body></html>

See link Ch 10r – works in IE, but not in FirefoxSee link Ch 10r – works in IE, but not in FirefoxFirefox does not support VBScript (link Ch 10s)Firefox does not support VBScript (link Ch 10s)

2626

VBScript vulnerabilitiesVBScript vulnerabilities

See links Ch 10t, 10uSee links Ch 10t, 10u

2727

JavaScriptJavaScript

Popular scripting languagePopular scripting language

JavaScript also has the power of a JavaScript also has the power of a programming languageprogramming language BranchingBranching LoopingLooping TestingTesting

2828

JavaScript ExampleJavaScript Example<html><head><html><head><script type="text/javascript"><script type="text/javascript">function chastise_user(){function chastise_user(){alert("So, you like breaking rules?")alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus(document.getElementByld("cmdButton").focus()})}

</script></head></script></head><body><h3>Don't click the button!</h3><body><h3>Don't click the button!</h3><form><form><input type="button" value="Don't Click!" <input type="button" value="Don't Click!" name="cmdButton" name="cmdButton" onClick="chastise_user()" />onClick="chastise_user()" />

</form></body></html></form></body></html> See link Ch 10v – works in IE and FirefoxSee link Ch 10v – works in IE and Firefox


2929

JavaScript VulnerabilitiesJavaScript Vulnerabilities

See link Ch 10wSee link Ch 10w

3030Client’s Browser

HT

TP

or HT

TP

S

Web Server

Apache or IIS

HTML Forms

CGI Scripts

Database

SQL Server or

Oracle or

MySQL

ODBC or

OLE DB

Or ADO

3131

Connecting to DatabasesConnecting to Databases

Web pages can display information stored Web pages can display information stored on databaseson databases

There are several technologies used to There are several technologies used to connect databases with Web applicationsconnect databases with Web applications Technology depends on the OS usedTechnology depends on the OS used

ODBCODBC

OLE DBOLE DB

ADOADO Theory is the sameTheory is the same

3232

Open Database Connectivity Open Database Connectivity (ODBC)(ODBC)

Standard database access method developed Standard database access method developed by the SQL Access Groupby the SQL Access Group

ODBC interface allows an application to ODBC interface allows an application to accessaccess Data stored in a database management system Data stored in a database management system

(DBMS)(DBMS) Can use Oracle, SQL, or any DBMS that Can use Oracle, SQL, or any DBMS that

understands and can issue ODBC commandsunderstands and can issue ODBC commands

Interoperability among back-end DBMS is a Interoperability among back-end DBMS is a key feature of the ODBC interfacekey feature of the ODBC interface

3333

Open Database Connectivity Open Database Connectivity (ODBC) (continued)(ODBC) (continued)

ODBC definesODBC defines Standardized representation of data typesStandardized representation of data types A library of ODBC functionsA library of ODBC functions Standard methods of connecting to and Standard methods of connecting to and

logging on to a DBMSlogging on to a DBMS

3434

OLE DB and ADOOLE DB and ADO

Object Linking and Embedding Database Object Linking and Embedding Database (OLE DB) and(OLE DB) and

ActiveX Data Objects (ADO)ActiveX Data Objects (ADO) These two more modern, complex These two more modern, complex

technologies replace ODBC and make technologies replace ODBC and make up"Microsoft’s Universal Data Access“up"Microsoft’s Universal Data Access“

See link Ch 10x See link Ch 10x

3535

Understanding Web Application Understanding Web Application VulnerabilitiesVulnerabilities

Many platforms and programming Many platforms and programming languages can be used to design a Web languages can be used to design a Web sitesite

Application security is as important as Application security is as important as network securitynetwork security

3636

Attackers controlling a Web server Attackers controlling a Web server cancan

Deface the Web siteDeface the Web site Destroy or steal company’s dataDestroy or steal company’s data Gain control of user accountsGain control of user accounts Perform secondary attacks from the Web sitePerform secondary attacks from the Web site Gain root access to other applications or Gain root access to other applications or

serversservers

3737

Open Web Application Security Open Web Application Security Project (OWASP)Project (OWASP)

Open, not-for-profit organization dedicated to Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web finding and fighting vulnerabilities in Web applicationsapplications

Publishes the Ten Most Critical Web Publishes the Ten Most Critical Web Application Security VulnerabilitiesApplication Security Vulnerabilities

3838

Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities

Unvalidated parametersUnvalidated parameters HTTP requests from browsers that are not HTTP requests from browsers that are not

validated by the Web servervalidated by the Web server Inserted form fields, cookies, headers, etc. Inserted form fields, cookies, headers, etc.

(See link Ch 10y)(See link Ch 10y)

Broken access controlBroken access control Developers implement access controls but fail Developers implement access controls but fail

to test them properlyto test them properlyFor example, letting an authenticated user read For example, letting an authenticated user read another user’s filesanother user’s files

3939

Top-10 Web application Top-10 Web application vulnerabilities (continued)vulnerabilities (continued)

Broken account and session managementBroken account and session management Enables attackers to compromise passwords or Enables attackers to compromise passwords or

session cookies to gain access to accountssession cookies to gain access to accounts

Cross-site scripting (XSS) flawsCross-site scripting (XSS) flaws Attackers inject code into a web page, such as a Attackers inject code into a web page, such as a

forum or guestbookforum or guestbook When others user view the page, confidential When others user view the page, confidential

information is stolen information is stolen See link Ch 10zaSee link Ch 10za

Buffer overflowsBuffer overflows It is possible for an attacker to use C or C++ code that It is possible for an attacker to use C or C++ code that

includes a buffer overflowincludes a buffer overflow

4040


Command injection flawsCommand injection flaws An attacker can embed malicious code and run a An attacker can embed malicious code and run a

program on the database serverprogram on the database server Example: SQL InjectionExample: SQL Injection

Error-handling problemsError-handling problems Error messages may reveal information that an Error messages may reveal information that an

attacker can useattacker can use

Insecure use of cryptographyInsecure use of cryptography Storing keys, certificates, and passwords on a Web Storing keys, certificates, and passwords on a Web

server can be dangerousserver can be dangerous

4141


Remote administration flawsRemote administration flaws Attacker can gain access to the Web server Attacker can gain access to the Web server

through the remote administration interfacethrough the remote administration interface

Web and application server Web and application server misconfigurationmisconfiguration Any Web server software out of the box is Any Web server software out of the box is

usually vulnerable to attackusually vulnerable to attackDefault accounts and passwordsDefault accounts and passwords

Overly informative error messagesOverly informative error messages

4242

Application Vulnerabilities Application Vulnerabilities Countermeasures (continued)Countermeasures (continued)WebGoat projectWebGoat project Helps security testers learn how to perform Helps security testers learn how to perform

vulnerabilities testing on Web applicationsvulnerabilities testing on Web applications Developed by OWASPDeveloped by OWASP

It’s like HackThisSite without the helpful It’s like HackThisSite without the helpful forumforum Tutorials for WebGoat are being made, but Tutorials for WebGoat are being made, but

they aren’t yet readythey aren’t yet ready

4343

Assessing Web ApplicationsAssessing Web Applications

Issues to considerIssues to consider Dynamic Web pagesDynamic Web pages Connection to a backend database serverConnection to a backend database server User authentication User authentication What platform was used? What platform was used?


4444

Does the Web Application Use Does the Web Application Use Dynamic Web Pages?Dynamic Web Pages?

Static Web pages do not create a secure Static Web pages do not create a secure environmentenvironment

IIS attack example: Directory TraversalIIS attack example: Directory Traversal Adding ..\ to a URL refers to a directory above Adding ..\ to a URL refers to a directory above

the Web page directorythe Web page directory Early versions of IIS filtered out \, but not Early versions of IIS filtered out \, but not

%c1%9c, which is a Unicode version of the %c1%9c, which is a Unicode version of the same charactersame character

See link Ch 10 zhSee link Ch 10 zh

4545

Connection to a Backend Connection to a Backend Database ServerDatabase Server

Security testers should check for the Security testers should check for the possibility of SQL injection being used to possibility of SQL injection being used to attack the systemattack the system

SQL injection involves the attacker SQL injection involves the attacker supplying SQL commands on a Web supplying SQL commands on a Web application fieldapplication field

4646

SQL Injection ExampleSQL Injection Example

HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:

SELECT * FROM customerSELECT * FROM customerWHERE username = ‘name' AND password = ‘pw'WHERE username = ‘name' AND password = ‘pw'

If a hacker enters a name of If a hacker enters a name of ’ ’ OR 1=1 --OR 1=1 --

The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = ‘’ OR 1=1 --' AND password WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘= ‘pw‘

Which is always true, and returns all the recordsWhich is always true, and returns all the records

4747

HackThisSiteHackThisSite

4848

Connection to a Backend Connection to a Backend Database ServerDatabase Server

Basic testing should look forBasic testing should look for Whether you can enter text with punctuation Whether you can enter text with punctuation

marksmarks Whether you can enter a single quotation Whether you can enter a single quotation

mark followed by any SQL keywordsmark followed by any SQL keywords Whether you can get any sort of database Whether you can get any sort of database

error when attempting to inject SQLerror when attempting to inject SQL

4949

User AuthenticationUser Authentication

Many Web applications require another Many Web applications require another server to authenticate usersserver to authenticate users

Examine how information is passed Examine how information is passed between the two serversbetween the two servers Encrypted channelsEncrypted channels

Verify that logon and password information Verify that logon and password information is stored on secure placesis stored on secure places

Authentication servers introduce a second Authentication servers introduce a second targettarget

5050

What Platform Was Used?What Platform Was Used?

Popular platforms include:Popular platforms include: IIS with ASP and SQL Server (Microsoft)IIS with ASP and SQL Server (Microsoft) Linux, Apache, MySQL, and PHP (LAMP)Linux, Apache, MySQL, and PHP (LAMP)

Footprinting is used to find out the platformFootprinting is used to find out the platform The more you know about a system the The more you know about a system the

easier it is to gather information about its easier it is to gather information about its vulnerabilitiesvulnerabilities

5151

Tools of Web Attackers and Tools of Web Attackers and Security TestersSecurity Testers

Choose the right tools for the jobChoose the right tools for the job

Attackers look for tools that enable them to Attackers look for tools that enable them to attack the systemattack the system They choose their tools based on the They choose their tools based on the

vulnerabilities found on a target system or vulnerabilities found on a target system or applicationapplication

5252

Web ToolsWeb Tools

Cgiscan.c: CGI scanning toolCgiscan.c: CGI scanning tool Written in C in 1999 by Bronc BusterWritten in C in 1999 by Bronc Buster Tool for searching Web sites for CGI scripts Tool for searching Web sites for CGI scripts

that can be exploitedthat can be exploited One of the best tools for scanning the Web for One of the best tools for scanning the Web for

systems with CGI vulnerabilitiessystems with CGI vulnerabilitiesSee link Ch 10ziSee link Ch 10zi

5353

cgiscan and WebGoatcgiscan and WebGoat

5454

Web Tools (continued)Web Tools (continued)

Phfscan.cPhfscan.c Written to scan Web sites looking for hosts Written to scan Web sites looking for hosts

that could be exploited by the PHF bugthat could be exploited by the PHF bug The PHF bug enables an attacker to The PHF bug enables an attacker to

download the victim’s /etc/passwd filedownload the victim’s /etc/passwd file It also allows attackers to run programs on the It also allows attackers to run programs on the

victim’s Web server by using a particular URLvictim’s Web server by using a particular URLSee links Ch 10zj, 10 zkSee links Ch 10zj, 10 zk


5555

Web Tools (continued)Web Tools (continued)

Wfetch: GUI tool from MicrosoftWfetch: GUI tool from Microsoft Displays information that is not normally shown in Displays information that is not normally shown in

a browser, such as HTTP headersa browser, such as HTTP headers It also attempts authentication usingIt also attempts authentication using

Multiple HTTP methodsMultiple HTTP methods

Configuration of host name and TCP portConfiguration of host name and TCP port

HTTP 1.0 and HTTP 1.1 supportHTTP 1.0 and HTTP 1.1 support

Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication typesauthentication types

Multiple connection typesMultiple connection types

Proxy supportProxy support

Client-certificate supportClient-certificate support See link Ch 10zlSee link Ch 10zl


5656http://it-slideshares.blogspot.com

Ch10 Hacking Web Servers it-slideshares.blogspot.com

Education

Transcript of Ch10 Hacking Web Servers it-slideshares.blogspot.com