Hacking Web ApplicationsHacking Web Applications

WWWWWW

EnableEnableOnline shoppingOnline shoppingOnline bankingOnline bankingOnline research informationOnline research information Information searching (global library)Information searching (global library)Communication Communication

Web Application ArchitectureWeb Application Architecture three-tier architecturesthree-tier architectures

client-server (request-response) relationship between client-server (request-response) relationship between (a) the client and the Web server and (a) the client and the Web server and (b) the Web server and the database server. (b) the Web server and the database server.

The first relationship uses the HTTP protocol and the The first relationship uses the HTTP protocol and the second relationship uses the database query second relationship uses the database query language SQL (primarily). language SQL (primarily).

Clients (HTML, CSS, JavaScript) Clients (HTML, CSS, JavaScript) Web servers (Apache) with scripting language Web servers (Apache) with scripting language

(Python, PHP) (Python, PHP) Database servers (MySQL, PostgreSQL) Database servers (MySQL, PostgreSQL)

HTMLHTML Markup language; defined by tags to define Markup language; defined by tags to define

format of information presentationformat of information presentation Data presentation engine for web applications Data presentation engine for web applications

(client and server sides)(client and server sides) Abuse tagsAbuse tags

User input <INPUT> - hidden User input <INPUT> - hidden specifies value not displayed in the browser; but get specifies value not displayed in the browser; but get

submitted with other data input to the same formsubmitted with other data input to the same form Can be altered at client side and post it to server sideCan be altered at client side and post it to server side

Drawback – static format; replace by XML – Drawback – static format; replace by XML – more extensible and flexible in representing all more extensible and flexible in representing all types of datatypes of data

HTTPHTTP Medium of communication between client and serverMedium of communication between client and server

Simple – limited set of basic functionalities, request and Simple – limited set of basic functionalities, request and response; define a mechanism to request a resource (URL); response; define a mechanism to request a resource (URL); server returns resource if available; no need to understand server returns resource if available; no need to understand cryptic syntax cryptic syntax

Stateless – if request for a resource and receive a respond; then Stateless – if request for a resource and receive a respond; then request another, server regards as a wholly separate and unique request another, server regards as a wholly separate and unique request; no session maintain; hackers does not need to plan for request; no session maintain; hackers does not need to plan for multistage attacksmultistage attacks

Text-based – require to complexity in understanding binary Text-based – require to complexity in understanding binary encoding scheme or to use translator; all request and respond in encoding scheme or to use translator; all request and respond in clear textclear text

Todays, many web applications tunnel HTTP over SSL Todays, many web applications tunnel HTTP over SSL which provides transport-layer encryption; intermediary which provides transport-layer encryption; intermediary devices cannot read; SSL does nothing for the overall devices cannot read; SSL does nothing for the overall security of a web application other than to make it more security of a web application other than to make it more difficult to eavesdrop on the traffic between client and difficult to eavesdrop on the traffic between client and serverserver

Web ClientWeb Client

Web browserWeb browserOne of the greatest weapons available to One of the greatest weapons available to

attackers todayattackers todayCommunicate with server using HTTP and Communicate with server using HTTP and

presented with HTMLpresented with HTMLAllows request for other resources (FTP), Allows request for other resources (FTP),

speaking to other protocol (SSL) etcspeaking to other protocol (SSL) etc

Web ServerWeb Server

Describe as HTTP daemonDescribe as HTTP daemonReceive client request, perform basic parsing Receive client request, perform basic parsing

on request to ensure the resource exist, hand on request to ensure the resource exist, hand it to web application logic for processing; logic it to web application logic for processing; logic returns a response, HTTP daemon return it to returns a response, HTTP daemon return it to client client

Popular web server packagesPopular web server packages IISIISApache serverApache server

Web applicationsWeb applications

Server-side logicServer-side logicSo called n-tier architectureSo called n-tier architectureComprises of Comprises of

Presentation layer – receiving input and Presentation layer – receiving input and display resultdisplay result

logic layer – taking input form p.l. and perform logic layer – taking input form p.l. and perform some tasks and return resultsome tasks and return result

data layer – non-volatile storage of data layer – non-volatile storage of information; can be queried or updatedinformation; can be queried or updated

IntermediariesIntermediaries To make web application architecture more scalable, To make web application architecture more scalable,

need to haveneed to have ProxiesProxies

Single gateway through which all connections had to passSingle gateway through which all connections had to pass Terminate initial browser request and then request the original Terminate initial browser request and then request the original

resource on behalf of the clientresource on behalf of the client Gateway able to cache commonly requested Internet content to Gateway able to cache commonly requested Internet content to

save bandwidth and increase performancesave bandwidth and increase performance Bad side – difficulty in tracing clients’ addresses since all indicate Bad side – difficulty in tracing clients’ addresses since all indicate

proxy’s address; how to differentiate clients?proxy’s address; how to differentiate clients? Load balancers Load balancers

Reverse proxy; managing incoming load of client requests and Reverse proxy; managing incoming load of client requests and distributing them across identical configured web servers; distributing them across identical configured web servers; transparent to clientstransparent to clients

Categorized into static (request routed in a predetermined fashion Categorized into static (request routed in a predetermined fashion like RR) or dynamic (requests are shunted to servers based on like RR) or dynamic (requests are shunted to servers based on some variables such as least connections or fastest link)some variables such as least connections or fastest link)

CISCO Local Director, F5’s Big-IPCISCO Local Director, F5’s Big-IP

Potential weak spotsPotential weak spots Web client – active content execution (Web client – active content execution (small executables small executables

or script code that could be rendered within a browser to or script code that could be rendered within a browser to provide dynamic client-resident executable behavior that provide dynamic client-resident executable behavior that could offload a lot of server logic – Microsoft Active X could offload a lot of server logic – Microsoft Active X and Sun’s Javaand Sun’s Java) , client software vulnerability ) , client software vulnerability exploitation, cross-site scripting errors (exploitation, cross-site scripting errors (improper input improper input sanitation on the server side, which allows input of script sanitation on the server side, which allows input of script commands that are interpreted by the client-side browser commands that are interpreted by the client-side browser – refer example pg. 289-292)– refer example pg. 289-292)

Transport – eavesdropping on client-server Transport – eavesdropping on client-server communications, SSL redirectioncommunications, SSL redirection

Web server – web server software vulnerabilitiesWeb server – web server software vulnerabilities Web application – attacks against authentication, Web application – attacks against authentication,

authorization, input validation, application logicauthorization, input validation, application logic Database – running privileged commands, query Database – running privileged commands, query

manipulationmanipulation

Methodology of web hackingMethodology of web hacking

1.1. Profile the infrastructureProfile the infrastructure2.2. Attacks web serversAttacks web servers3.3. Survey applicationSurvey application4.4. Attack authentication mechanismAttack authentication mechanism5.5. Attack authorization schemesAttack authorization schemes6.6. Perform functional analysisPerform functional analysis7.7. Exploit data connectivityExploit data connectivity8.8. Attack management interfacesAttack management interfaces9.9. Attack clientAttack client10.10. Launch DOS attackLaunch DOS attack

Profile the infrastructureProfile the infrastructure

Identifies most basic components of web Identifies most basic components of web applicationapplicationServer IP address, virtual IPsServer IP address, virtual IPsServer ports and other servicesServer ports and other servicesServer type and versionServer type and version

How?How?a.a. Simply append www. and .com (or .org or .edu Simply append www. and .com (or .org or .edu

or .gov) and there are very good chance of finding a or .gov) and there are very good chance of finding a web serverweb server

b.b. Internet foortprinting – to create complete profile of Internet foortprinting – to create complete profile of a target information technology infrastructure; a target information technology infrastructure; primarily carried out with whois utility (managed to primarily carried out with whois utility (managed to find assigned Internet IP address ranges, registered find assigned Internet IP address ranges, registered DNS domain names and related data and DNS domain names and related data and administrative contact for an Internet presence)administrative contact for an Internet presence)

http://www.arin.net/whois.http://www.arin.net/whois.

c.c. DNS interrogation DNS interrogation Start nslookup clientStart nslookup client Specify DNS server to querySpecify DNS server to query ls –d domainls –d domain

d.d. Ping – most basic approach to discover serverPing – most basic approach to discover server

e.e. Port scanning – most efficient method; attempts Port scanning – most efficient method; attempts to connect to a specific set of TCP and/or UDP to connect to a specific set of TCP and/or UDP ports and determine if a service exists. If a ports and determine if a service exists. If a response received, then responding IP address response received, then responding IP address is “live” address; need to have comprehensive list is “live” address; need to have comprehensive list of potential portsof potential ports

Service discoveryService discoveryOnce server had been identified, figure out Once server had been identified, figure out

what ports are running HTTP (or SSL) with what ports are running HTTP (or SSL) with port scanning methodport scanning method

Running a scan for services can be done Running a scan for services can be done straightforward with fscan commandstraightforward with fscan commandD:\> fscan –qp 80, 81, 88, 443D:\> fscan –qp 80, 81, 88, 443 ….. …..Will return any servers’s IP running web-related Will return any servers’s IP running web-related

servicesservices

Attacks web server (IIS)Attacks web server (IIS)

IIS security vulnerabilities are group intoIIS security vulnerabilities are group into Attacks against IIS componentsAttacks against IIS components

IIS relies on its DLL which provides various IIS relies on its DLL which provides various capabilities to server (script execution, content capabilities to server (script execution, content indexing, web-based printing etc); these indexing, web-based printing etc); these functions can be invoked by requesting a file with functions can be invoked by requesting a file with appropriate extension from IIS (example .prt) – appropriate extension from IIS (example .prt) – ISAPI (Internet Server Application Programming ISAPI (Internet Server Application Programming Interface) DLLsInterface) DLLs Extreme case involves buffer overflow – (NIMDA, Code Extreme case involves buffer overflow – (NIMDA, Code

Red worms) – IIS haltedRed worms) – IIS halted

Countermeasures for ISAPI DLLsCountermeasures for ISAPI DLLs Remove unused extension mappingsRemove unused extension mappings Keep up with Microsoft service packs and hotfixesKeep up with Microsoft service packs and hotfixes Use IISLockDown and UrlScanUse IISLockDown and UrlScan

IISLockDown – automated, template-driven utility for IISLockDown – automated, template-driven utility for applying security configurations to IISapplying security configurations to IIS

UrlScan – manually installed to server, an ISAPI filter UrlScan – manually installed to server, an ISAPI filter which must be located in front of IIS so that it will which must be located in front of IIS so that it will intercept HTTP requests before IIS; determine which intercept HTTP requests before IIS; determine which HTTP will be rejected (HTTTP 404 “Object Not HTTP will be rejected (HTTTP 404 “Object Not Found” to deny requests)Found” to deny requests)

Automated vulnerability scanning softwareAutomated vulnerability scanning software WhiskerWhisker NiktoNikto Twwwscan/arirangTwwwscan/arirang Stealth HTTP ScannerStealth HTTP Scanner TyphonTyphon WebInspectWebInspect AppScanAppScan FoundScan WebFoundScan Web

DOS against Web ServersDOS against Web Servers Web server need to listen to at least a single port in Web server need to listen to at least a single port in

order to provide useful service, thus this makes it a ripe order to provide useful service, thus this makes it a ripe target for simple resource consumption attacks target for simple resource consumption attacks

1.1. TCP connect flood)TCP connect flood) Web servers handle HTTP requests; if requests generated in Web servers handle HTTP requests; if requests generated in

short amount of time, resources will overwhelm (PortF*** tool to short amount of time, resources will overwhelm (PortF*** tool to test DOS attacks)test DOS attacks)

CountermeasuresCountermeasures Adding more resources until other side runs out – higher cost – Adding more resources until other side runs out – higher cost –

more processors, memory, bandwidthmore processors, memory, bandwidth CISCO rate limit feature – limit the maximum amount of bandwidth CISCO rate limit feature – limit the maximum amount of bandwidth

allowed from one destination network or interface on a routerallowed from one destination network or interface on a router

2.2. Specific DOS vulnerabilitiesSpecific DOS vulnerabilities Exploit vulnerabilities in web server softwareExploit vulnerabilities in web server software IIS WebDAV Propfind DoS attack – padding XML IIS WebDAV Propfind DoS attack – padding XML

WebDAV request with overlong value that WebDAV request with overlong value that causes the IIS service to restartcauses the IIS service to restart

CountermeasuresCountermeasures Get relevant patchesGet relevant patches Disable IIS WebDAV feature using IISLockDown tool; Disable IIS WebDAV feature using IISLockDown tool;

however disabling this will cause loss ofhowever disabling this will cause loss of Web foldersWeb folders Publishing to web site using Office2000Publishing to web site using Office2000 Monitoring IIS 5.0 server via Digital DashboardMonitoring IIS 5.0 server via Digital Dashboard

Survey applicationSurvey application

To generate complete picture of the To generate complete picture of the content, components, function and flow of content, components, function and flow of the web site in order to gather clues about the web site in order to gather clues about where to find underlying vulnerabilities where to find underlying vulnerabilities such as input validation or SQL injection.such as input validation or SQL injection.

Documenting application structureDocumenting application structureDo a simple click-through to get familiar with Do a simple click-through to get familiar with

the web sites; menu; directoriesthe web sites; menu; directoriesList in matrix table for information ofList in matrix table for information of

Page name, its full path, any authentication?, any Page name, its full path, any authentication?, any SSL?, GET/POST arguments, comments SSL?, GET/POST arguments, comments (personal notes)(personal notes)

Manually inspect the applicationManually inspect the application Click on every link you can findClick on every link you can find Record each page’s information in attack matrix Record each page’s information in attack matrix Look forLook for

Statically (.html files – lack functionality to attack – no input Statically (.html files – lack functionality to attack – no input test) and dynamically (.php, .asp, .jsp) generated pages, test) and dynamically (.php, .asp, .jsp) generated pages, directory structure, helper files, java classes and applets, directory structure, helper files, java classes and applets, HTML comments and content, forms, query strings, bank-HTML comments and content, forms, query strings, bank-end connectivityend connectivity

What authentication method use?What authentication method use?

Directory structureDirectory structureTry to guess the mindset of the administratorTry to guess the mindset of the administratorCheck onCheck on

Directories supposed to be secure /admin, /secure, Directories supposed to be secure /admin, /secure, /adm/adm

Directories that contain backup files or log Directories that contain backup files or log files: /.bak, /backup, /back, /log, /logs, /archive, /oldfiles: /.bak, /backup, /back, /log, /logs, /archive, /old

Directories for include files: /include, /inc, /global, Directories for include files: /include, /inc, /global, /local/local