ISA 330 Introduction to Proactive System Security Philip Robbins November 9, 2013 Hacking Web Servers and Applications Information Security & Assurance Program University of Hawai'i West Oahu Week #6 1 2 Hacking Web Servers and Applications Topics Web Applications Web Servers Review Q&A Quiz #5 3 4 What are Web Applications? Any application that uses a web browser as a client. Convenient. Method of distribution is popular. Web Aps have a larger user base than standalone applications. 5 What are Web Applications? 6 What are Web Applications? 7 What are Web Applications? 8 Web Applications and Web Servers 9 Web Applications Static Web Pages Created using HTML. Same information provided regardless of time or user. Dynamic Web Pages Information provided varies. Special components used: forms, CGI, ASP, PHP, CF, JavaScript, database connectors. 10 Web Applications Static Web Pages v.s. Dynamic Web Pages 11 Web Application Components Web Forms 12 Web Application Components Web Forms 13 Web Application Components Web Forms Uses element or tag in HTML document Allows user to submit information to Web Server Web servers process information from a form using a Web Application. Gives attackers an easy way to intercept submitted data. 14 Web Application Components Common Gateway Interface (CGI) Method used to generate dynamic content for web pages and applications. Provides an interface between the content within databases and applications that generate / serve up web content. CGI script could be in Perl, Java, Python, or any other programming language. Placed in cgi-bin directory on the Web server. 15 Web Application Components Common Gateway Interface (CGI) Web server software executes CGI Script CGI script creates HTML page with dynamically obtained info Script Server 16 Web Application Components 17 Web Application Components Common Gateway Interface (CGI) Which programming language? Static or Dynamic Page? 18 Web Application Components Common Gateway Interface (CGI) Which programming language? Static or Dynamic Page? 19 Web Application Components Active Server Pages (ASP) Microsofts first server side script engine for dynamically generated web pages. Not a programming language. Technology that allows creation of dynamic, interactive webpages using scripting languages like Jscript or VBScript. Runs only on Windows platforms. Web servers running IIS support ASP. ASP.NET supersedes ASP and is supported by IIS 5.0+ 20 Web Application Components Active Server Pages (ASP) 21 Web Application Components 22 Web Application Components Active Server Pages (ASP) Runs script and returns HTML 23 Web Application Components PHP: Hypertext Preprocessor (PHP) Similar to ASP Open source server side scripting language used to create dynamic web pages. Embedded in HTML Web page using PHP tags: Shouldnt be able to view source code in Web browsers. Originally used mainly on UNIX systems. 24 Web Application Components PHP: Hypertext Preprocessor (PHP) 25 Web Application Components ColdFusion Another server-side scripting language for developing dynamic Web pages. Uses proprietary tags. Written in ColdFusion Markup Language (CFML) Can contain other languages (e.g. HTML, JavaScript). 26 Web Application Components ColdFusion 27 Web Application Components VBScript Active Scripting language. Developed by Microsoft. Modeled on Visual Basic. Converts static web pages into dynamic web pages. Lightweight programming language with powerful features. 28 Web Application Components VBScript 29 Web Application Components JavaScript Popular scripting language for creating dynamic web pages. Widely used. Variety of vulnerabilities. 30 Web Application Components JavaScript 31 Web Application Components Internet Information Services (IIS) 32 Web Application Components Internet Information Services (IIS) Formally named Internet Information Server Internet Based Services installed on Web Servers running Microsoft Windows. 33 34 Web Application Components Apache Web Server 35 Web Application Components Apache Web Server Another web server program. Runs on twice as many web servers compared to IIS Free Works on any platform (*nix and Windows) 36 Connecting to Databases Open Database Connectivity (ODBC) Programming language middleware API for accessing database management systems (DBMS). Object Linking and Embedding Database (OLE DB) Allows applications to access data stored in a DBMS. Designed by Microsoft to be faster, efficient, and more stable than ODBC. Depending on the data source youre connecting to you may use a different provider. 37 Connecting to Databases Object Linking and Embedding Database (OLE DB) 38 Connecting to Databases Object Linking and Embedding Database (OLE DB) 39 40 Web Application Vulnerabilities Many platforms and programming languages can be used to design a Web site. Important to Remember: Application security is just as important as network security!! Network-layer protection doesnt prevent Application- layer attacks from occurring. 41 Web Application Vulnerabilities Attackers controlling a Web site can: Deface the site. Destroy the companys database. Steal information (PII) and sell it. Perform other (secondary) attacks. Gain root access to other application servers. Exploit Server-side scripting. 42 How are Web Sites Defaced? Man-in-the-middle attack Password brute force attack of admin accounts DNS attack FTP server intrusion Mail server intrusion Rerouting after firewall attack SQL injection URL poisoning Web server extension intrusion Remote service intrusion 43 44 Top Web Application Vulnerabilities Cross-Site Scripting (XSS) flaws Injection flaws and malicious file execution Unsecured direct object reference (URL manipulation) Cross-site request forgery (CSRF) Information leakage and incorrect error handling Broken authentication and session management Unsecured cryptographic storage Unsecured communications Failure to restrict URL access 45 Web Application Threats Command injection flaws Allow attackers to pass malicious code to different systems via a Web application 46 Web Application Threats Parameter/Form Tampering Takes advantage of the fact that many programmers rely on hidden or fixed fields as the only security measure for certain operations. #1 #2 #3 47 Web Server Vulnerabilities Server Vulnerabilities Can be exploited by hackers using their browser address window; causing commands to be executed. 48 Web Server Vulnerabilities Canonicalization error in IIS 4.0 and 5.0 Enables an intruder to make use of a specific malformed URL in order to access files and folders located on the logical drive that includes Web folders. 49 Web Application Threats Cross-Site Scripting (XSS) Flaws Injection of malicious code in an otherwise legitimate website. The injected code is executed by unsuspecting users when they view the website, resulting in a potential breach of privacy, session hijacking, or drive-by- download of malware. Attacker takes advantage of the trust you have in a websites security. 50 Web Application Threats Cross-Site Scripting (XSS) Flaws Attacks occur in the browser and are platform independent. Two categories: reflected (non-persistent) and stored (persistent). 51 Web Application Threats Cross-Site Scripting (XSS) Flaws 52 Web Application Threats Cross-Site Scripting (XSS) Flaws Payload is stored on the website 53 Web Application Threats Cookie/Session Poisoning Cookies frequently transmit sensitive credentials. Can be modified with relative ease in order to escalate access or assume another users identity. Modify cost of purchases. 54 Web Application Threats Buffer / Stack Overflow Execution stack of a Web application is damaged when a buffer overflows. 55 Web Application Threats Directory Traversal/Forceful Browsing Attacker is able to browse for directories and files outside the normal application access. 56 Web Application Threats Attack Obfuscation Attackers often work hard to mask or hide their attacks, and avoid detection by encoding their requests with methods such as URL encoding using Unicode. 57 Web Application Threats Platform Exploits Web applications are built upon application platforms. Platforms are well understood and have well-known vulnerabilities with associated exploits. 58 Web Application Threats Cryptographic Interception Attackers attack sensitive handoff points where data is temporarily unprotected. 59 Web Application Threats Authentication Hijacking Insecure credential and identity management can lead to account hijacking and theft of services. Log Tampering Attacker, in an attempt to cover tracks, will usually delete logs, modify logs, change user information, and otherwise destroy all evidence of the attack. Error Message Interception Error messages that contain site-specific information allow attackers to learn private application architectures. 60 Web Application Threats Network Access Attacks Attacks using techniques such as spoofing, bridging, ACL attacks, and stack attacks, attempt to pass through intended access control and routing policies. TCP Fragmentation Fragmenting an attack into multiple TCP packets allows attackers to slip by devices that inspect only the packets and not the entire session. 61 62 SQL WTF is it? Structured Query Language (SQL) Pronounced sequel Newbs pronounce it ess cue ell Programming Language Manages data in databases One of the most common vulnerabilities today! 63 SQL WTF is it? Structured Query Language (SQL) 64 Web Application Threats SQL Injection Uses command sequences from SQL statements to control database data directly. 65 Web Application Threats SQL Injection Login Bypass 66 Web Application Threats SQL Injection Login Bypass The power of: Closes the string parameter. Therefore anything after it is considered part of the SQL command. Comments: /* */ -- Because anything after the -- will be ignored, the injection will work even without any specific injection into the password field. 67 Web Application Threats SQL Injection Disruption I dont care about the data; I just want to bring the application down. 68 Protecting our Web Applications & Servers 69 Assessing our Web Applications & Servers Look for answers to some important questions: Does the Web application use dynamic Web pages? Does the Web application connect to a back-end database server? Does the Web application require authentication of the user? On what platform was the Web application developed? Follow the flow of information: Is encryption (SSL) being used? 70 Protecting our Web Servers Patches, Hotfixes, Patch Management Vulnerability scanners Online Vulnerability Search Engine (NVD) Implement Authentication Methods Application + Network Protection Utilize IDS / IPS, VLANs, & DMZs Logging 71 Protecting our Web Applications & Servers Capturing and maintaining system log files is an important part of Web server administration. Rules for IIS Logging Configure the IIS logs to record every available field Capture events with a proper time stamp Ensure continuity in the logs Ensure that logs are not modified in any way after they have been originally recorded Log Backups / Storage location 72 Protecting our Web Applications & Servers Use of Firewalls Administrator Account Renaming Disabling Default Web Sites Removal of Unused Application Mappings Disabling Directory Browsing Legal Notices Checking for Malicious Input in Forms and Query Strings Disabling Remote Administration Web Server Security Checklists / SOPs Database Table Honeypots & SQL Whitelists 73 Review Questions Question #1 The following code is an example of what language? a.PHP b.HTML c.ASP d.JScript 74 Review Questions Question #1 The following code is an example of what language? a.PHP b.HTML c.ASP d.JScript 75 Review Questions Question #2 Which of the following can be used to create dynamic Web pages? (Choose all that apply.) a.ColdFusion b.PHP c.ASP d.MySQL 76 Review Questions Question #2 Which of the following can be used to create dynamic Web pages? (Choose all that apply.) a.ColdFusion b.PHP c.ASP d.MySQL 77 Review Questions Question #3 Which of the following can be used to connect a Web server to a back-end database server? a.ODBC b.OLE DB c.ADO d.HTML 78 Review Questions Question #3 Which of the following can be used to connect a Web server to a back-end database server? a.ODBC b.OLE DB c.ADO d.HTML 79 Review Questions Question #4 Entering the value OR 1=1 in a Web application that has Enter Your PIN as a field is most likely an example of which attack? a.SQL injection b.Code injection c.Buffer overflow d.Ethernet flaw 80 Review Questions Question #4 Entering the value OR 1=1 in a Web application that has Enter Your PIN as a field is most likely an example of which attack? a.SQL injection b.Code injection c.Buffer overflow d.Ethernet flaw 81 Review Questions Question #5 Entering the URLin a Web browser is an example of what exploit? a.Buffer overflow b.Unicode exploit c.Worm injection d.SQL injection 82 Review Questions Question #5 Entering the URLin a Web browser is an example of what exploit? a.Buffer overflow b.Unicode exploit c.Worm injection d.SQL injection 83 Review Questions Question #6 The AccessFileName directive in Apache, along with a configuration file (such as.htaccess), can be used to perform which of the following on a Web site? a.Run malicious code in the browser. b.Protect against XSS worms. c.Restrict directory access to those who authorized user credentials. d.Scan for CGI vulnerabilities. 84 Review Questions Question #6 The AccessFileName directive in Apache, along with a configuration file (such as.htaccess), can be used to perform which of the following on a Web site? a.Run malicious code in the browser. b.Protect against XSS worms. c.Restrict directory access to those who authorized user credentials. d.Scan for CGI vulnerabilities. 85 Review Questions Question #7 Which of the following is an open-source technology for creating dynamic HTML Web pages? a.ASP b.PHP c.Java d.Oracle 86 Review Questions Question #7 Which of the following is an open-source technology for creating dynamic HTML Web pages? a.ASP b.PHP c.Java d.Oracle 87 Review Questions Question #8 CGI is used in Microsoft ASP Pages. a.TRUE b.FALSE 88 Review Questions Question #8 CGI is used in Microsoft ASP Pages. a.TRUE b.FALSE 89 Review Questions Question #9 Which of the following is used to connect an ASP Web page to an Oracle database? a.ADO b.HTML c.CGA d.OLE DB 90 Review Questions Question #9 Which of the following is used to connect an ASP Web page to an Oracle database? a.ADO b.HTML c.CGA d.OLE DB 91 Review Questions Question #10 What tags identify ColdFusion as the scripting language? a. b. c.The letters CF d. 92 Review Questions Question #10 What tags identify ColdFusion as the scripting language? a. b. c.The letters CF d. 93 Review Questions Question #11 An HTML Web page containing ASP code must be compiled before running. a.TRUE b.FALSE 94 Review Questions Question #11 An HTML Web page containing ASP code must be compiled before running. a.TRUE b.FALSE 95 Review Questions Question #12 (last one) IIS is used on more than twice as many Web servers as Apache Web Server. a.TRUE b.FALSE 96 Review Questions Question #12 (last one) IIS is used on more than twice as many Web servers as Apache Web Server. a.TRUE b.FALSE 97 Questions? www2.hawaii.edu/~probbins https://www.dorkatron.com/docs/ISA330/