Post on 24-Dec-2015
Hands-On Ethical Hacking and Network Defense
Chapter 10Hacking Web Servers
Hands-On Ethical Hacking and Network Defense 2
Objectives
• Describe Web applications
• Explain Web application vulnerabilities
• Describe the tools used to attack Web servers
Hands-On Ethical Hacking and Network Defense 3
Understanding Web Applications
• It is nearly impossible to write a program without bugs– Some bugs create security vulnerabilities
• Web applications also have bugs– Web applications have a larger user base than
standalone applications– Bugs are a bigger problem for Web applications
Hands-On Ethical Hacking and Network Defense 4
Web Application Components
• Static Web pages– Created using HTML
• Dynamic Web pages– Need special components
• <form> tags• Common Gateway Interface (CGI)• Active Server Pages (ASP)• PHP• ColdFusion• Scripting languages• Database connectors
Hands-On Ethical Hacking and Network Defense 5
Web Forms
• Use the <form> element or tag in an HTML document– Allows customer to submit information to the Web
server
• Web servers process information from a Web form by using a Web application
• Easy way for attackers to intercept data that users submit to a Web server
Hands-On Ethical Hacking and Network Defense 6
Web Forms (continued)
• Web form example<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Hands-On Ethical Hacking and Network Defense 7
Hands-On Ethical Hacking and Network Defense 8
Common Gateway Interface (CGI)
• Handles moving data from a Web server to a Web browser
• The majority of dynamic Web pages are created with CGI and scripting languages
• Describes how a Web server passes data to a Web browser– Relies on Perl or another scripting language to create
dynamic Web pages
• CGI programs can be written in different programming and scripting languages
Hands-On Ethical Hacking and Network Defense 9
Common Gateway Interface (CGI) (continued)
• CGI example– Written in Perl– Hello.pl– Should be placed in the cgi-bin directory on the Web
server#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
Hands-On Ethical Hacking and Network Defense 10
Active Server Pages (ASP)
• With ASP, developers can display HTML documents to users on the fly– Main difference from pure HTML pages– When a user requests a Web page, one is created at
that time
• ASP uses scripting languages such as JScript or VBScript
• Not all Web servers support ASP
Hands-On Ethical Hacking and Network Defense 11
Hands-On Ethical Hacking and Network Defense 12
Active Server Pages (ASP) (continued)
• ASP example<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML>
• Microsoft does not want users to be able to view an ASP Web page’s source code– This can create serious security problems
Hands-On Ethical Hacking and Network Defense 13
Apache Web Server
• Tomcat Apache is another Web Server program
• Tomcat Apache hosts anywhere from 50% to 60% of all Web sites
• Advantages– Works on just about any *NIX and Windows platform– It is free
• Requires Java 2 Standard Runtime Environment (J2SE, version 5.0)
Hands-On Ethical Hacking and Network Defense 14
Hands-On Ethical Hacking and Network Defense 15
Hands-On Ethical Hacking and Network Defense 16
Using Scripting Languages
• Dynamic Web pages can be developed using scripting languages– VBScript– JavaScript– PHP
Hands-On Ethical Hacking and Network Defense 17
PHP: Hypertext Processor (PHP)
• Enables Web developers to create dynamic Web pages– Similar to ASP
• Open-source server-side scripting language– Can be embedded in an HTML Web page using PHP
tags <?php and ?>
• Users cannot see PHP code on their Web browser
• Used primarily on UNIX systems– Also supported on Macintosh and Microsoft platforms
Hands-On Ethical Hacking and Network Defense 18
PHP: Hypertext Processor (PHP) (continued)
• PHP example<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
• As a security tester you should look for PHP vulnerabilities
Hands-On Ethical Hacking and Network Defense 19
ColdFusion
• Server-side scripting language used to develop dynamic Web pages
• Created by the Allaire Corporation
• Uses its own proprietary tags written in ColdFusion Markup Language (CFML)
• CFML Web applications can contain other technologies, such as HTML or JavaScript
Hands-On Ethical Hacking and Network Defense 20
ColdFusion (continued)
• CFML example<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">
</body>
</html>
• CFML is not exempt of vulnerabilities
Hands-On Ethical Hacking and Network Defense 21
VBScript
• Visual Basic Script is a scripting language developed by Microsoft
• Converts static Web pages into dynamic Web pages– Takes advantage of the power of a full programming
language
• VBScript is also prone to security vulnerabilities– Check the Microsoft Security Bulletin for information
about VBScript vulnerabilities
Hands-On Ethical Hacking and Network Defense 22
VBScript (continued)
• VBScript example<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
Hands-On Ethical Hacking and Network Defense 23
Hands-On Ethical Hacking and Network Defense 24
JavaScript
• Popular scripting language
• JavaScript also has the power of a programming language– Branching– Looping– Testing
• Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers
Hands-On Ethical Hacking and Network Defense 25
JavaScript (continued)
• JavaScript example<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command
button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>
Hands-On Ethical Hacking and Network Defense 26
Hands-On Ethical Hacking and Network Defense 27
Hands-On Ethical Hacking and Network Defense 28
Connecting to Databases
• Web pages can display information stored on databases
• There are several technologies used to connect databases with Web applications– Technology depends on the OS used
• ODBC
• OLE DB
• ADO
– Theory is the same
Hands-On Ethical Hacking and Network Defense 29
Open Database Connectivity (ODBC)
• Standard database access method developed by the SQL Access Group
• ODBC interface allows an application to access– Data stored in a database management system– Any system that understands and can issue ODBC
commands
• Interoperability among back-end DBMS is a key feature of the ODBC interface
Hands-On Ethical Hacking and Network Defense 30
Open Database Connectivity (ODBC) (continued)
• ODBC defines– Standardized representation of data types– A library of ODBC functions– Standard methods of connecting to and logging on to
a DBMS
Hands-On Ethical Hacking and Network Defense 31
Object Linking and Embedding Database (OLE DB)
• OLE DB is a set of interfaces– Enables applications to access data stored in a
DBMS
• Developed by Microsoft– Designed to be faster, more efficient, and more
stable than ODBC
• OLE DB relies on connection strings
• Different providers can be used with OLE DB depending on the DBMS to which you want to connect
Hands-On Ethical Hacking and Network Defense 32
Hands-On Ethical Hacking and Network Defense 33
ActiveX Data Objects (ADO)• ActiveX defines a set of technologies that allow
desktop applications to interact with the Web• ADO is a programming interface that allows Web
applications to access databases• Steps for accessing a database from a Web page
– Create an ADO connection– Open the database connection you just created– Create an ADO recordset– Open the recordset– Select the data you need– Close the recordset and the connection
Hands-On Ethical Hacking and Network Defense 34
Understanding Web Application Vulnerabilities
• Many platforms and programming languages can be used to design a Web site
• Application security is as important as network security
• Attackers controlling a Web server can– Deface the Web site– Destroy or steal company’s data– Gain control of user accounts– Perform secondary attacks from the Web site– Gain root access to other applications or servers
Hands-On Ethical Hacking and Network Defense 35
Application Vulnerabilities Countermeasures
• Open Web Application Security Project (OWASP)– Open, not-for-profit organization dedicated to finding
and fighting vulnerabilities in Web applications– Publishes the Ten Most Critical Web Application
Security Vulnerabilities
• Top-10 Web application vulnerabilities– Unvalidated parameters
• HTTP requests are not validated by the Web server
– Broken access control• Developers implement access controls but fail to test
them properly
Hands-On Ethical Hacking and Network Defense 36
Application Vulnerabilities Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)– Broken account and session management
• Enables attackers to compromise passwords or session cookies to gain access to accounts
– Cross-site scripting (XSS) flaws• Attacker can use a Web application to run a script on
the Web browser of the system he or she is attacking
– Buffer overflows• It is possible for an attacker to use C or C++ code that
includes a buffer overflow
Hands-On Ethical Hacking and Network Defense 37
Application Vulnerabilities Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)– Command injection flaws
• An attacker can embed malicious code and run a program on the database server
– Error-handling problems• Error information sent to the user might reveal
information that an attacker can use
– Insecure use of cryptography• Storing keys, certificates, and passwords on a Web
server can be dangerous
Hands-On Ethical Hacking and Network Defense 38
Application Vulnerabilities Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)– Remote administration flaws
• Attacker can gain access to the Web server through the remote administration interface
– Web and application server misconfiguration• Any Web server software out of the box is usually
vulnerable to attack
– Default accounts and passwords
– Overly informative error messages
Hands-On Ethical Hacking and Network Defense 39
Application Vulnerabilities Countermeasures (continued)
• WebGoat project– Helps security testers learn how to perform
vulnerabilities testing on Web applications– Developed by OWASP
• WebGoat can be used to– Reveal HTML or Java code and any cookies or
parameters used– Hack a logon name and password
Hands-On Ethical Hacking and Network Defense 40
Hands-On Ethical Hacking and Network Defense 41
Hands-On Ethical Hacking and Network Defense 42
Application Vulnerabilities Countermeasures (continued)
• WebGoat can be used to– Traverse a file system on a Windows XP computer
running Apache– WebGoat’s big challenge
• Defeat an authentication mechanism
• Steal credit cards from a database
• Deface a Web site
Hands-On Ethical Hacking and Network Defense 43
Hands-On Ethical Hacking and Network Defense 44
Hands-On Ethical Hacking and Network Defense 45
Hands-On Ethical Hacking and Network Defense 46
Assessing Web Applications
• Security testers should look for answers to some important questions– Does the Web application use dynamic Web pages?– Does the Web application connect to a backend
database server?– Does the Web application require authentication of
the user?– On what platform was the Web application
developed?
Hands-On Ethical Hacking and Network Defense 47
Does the Web Application Use Dynamic Web Pages?
• Static Web pages do not create a security environment
• IIS attack example– Submitting a specially formatted URL to the attacked
Web server
• IIS does not correctly parse the URL information– Attackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c
– Attacker can even install a Trojan program
Hands-On Ethical Hacking and Network Defense 48
Does the Web Application Connect to a Backend Database Server?
• Security testers should check for the possibility of SQL injection being used to attack the system
• SQL injection involves the attacker supplying SQL commands on a Web application field
• SQL injection examplesSELECT * FROM customer
WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '
orSELECT * FROM customer
WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="
Hands-On Ethical Hacking and Network Defense 49
Does the Web Application Connect to a Backend Database Server?
(continued)• Basic testing should look for
– Whether you can enter text with punctuation marks– Whether you can enter a single quotation mark
followed by any SQL keywords– Whether you can get any sort of database error
when attempting to inject SQL
Hands-On Ethical Hacking and Network Defense 50
Does the Web Application Require Authentication of the User?
• Many Web applications require another server authenticate users
• Examine how information is passed between the two servers– Encrypted channels
• Verify that logon and password information is stored on secure places
• Authentication servers introduce a second target
Hands-On Ethical Hacking and Network Defense 51
On What Platform Was the Web Application Developed?
• Several different platforms and technologies can be used to develop Web applications
• Attacks differ depending on the platform and technology used to develop the application– Footprinting is used to find out as much information
as possible about a target system– The more you know about a system the easier it is to
gather information about its vulnerabilities
Hands-On Ethical Hacking and Network Defense 52
Tools of Web Attackers and Security Testers
• Choose the right tools for the job
• Attackers look for tools that enable them to attack the system– They choose their tools based on the vulnerabilities
found on a target system or application
Hands-On Ethical Hacking and Network Defense 53
Web Tools
• Cgiscan.c: CGI scanning tool– Written in C in 1999 by Bronc Buster– Tool for searching Web sites for CGI scripts that can
be exploited– One of the best tools for scanning the Web for
systems with CGI vulnerabilities
Hands-On Ethical Hacking and Network Defense 54
Hands-On Ethical Hacking and Network Defense 55
Web Tools (continued)
• Phfscan.c– Written to scan Web sites looking for hosts that
could be exploited by the PHF bug– The PHF bug enables an attacker to download the
victim’s /etc/passwd file– It also allows attackers to run programs on the
victim’s Web server by using a particular URL
Hands-On Ethical Hacking and Network Defense 56
Web Tools (continued)
• Wfetch: GUI tool– This tool queries the status of a Web server– It also attempts authentication using
• Multiple HTTP methods
• Configuration of host name and TCP port
• HTTP 1.0 and HTTP 1.1 support
• Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types
• Multiple connection types
• Proxy support
• Client-certificate support
Hands-On Ethical Hacking and Network Defense 57
Hands-On Ethical Hacking and Network Defense 58
Summary
• Web applications can be developed on many platforms
• HTML pages can contain– Forms– ASP– CGI– Scripting languages
• Static pages have been replaced by dynamic pages
• Dynamic Web pages can be created using CGI, ASP, and JSP
Hands-On Ethical Hacking and Network Defense 59
Summary (continued)
• Web forms allows developers to create Web pages with which visitors can interact
• Web applications use a variety of technologies to connect to databases– ODBC– OLE DB– ADO
• Security tests should check– Whether the application connects to a database– If the user is authenticated through a different server
Hands-On Ethical Hacking and Network Defense 60
Summary (continued)
• Many tools are available for security testers– Cgiscan– Wfetch– OWASP open-source software
• Web applications that connect to databases might be vulnerable to SQL injection
• There are many free tools for attacking Web servers available in the Internet