ObjectivesDescribe Web applications

Explain Web application vulnerabilities

Describe the tools used to attack Web servers

TargetsNormally, a Web application is supported by a Web

server that runs on a general-purpose or embedded OS.

Each component (application, server, and OS) has its own set of vulnerabilities, but when these components are combined, there’s an increased risk of Web applications being compromised.

Can exploit a minor vulnerability in one function, such as a Web mail application, and use it as a stepping stone to launch additional attacks against the OS.

Web Application ComponentsStatic Web PagesDynamic Web Pages

CGI Common Gateway InterfaceActive Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connector strings, such as Open

Database Connector (ODBC).

Scripting LanguagesPHP Hypertext ProcessorColdFusionVBScriptJavaScript

PHP Hypertext Processor<html><head><title>My First PHP Program</title></head><body><?php echo '<h1>Hello, Security Testers!

</h1>'; ?></body></html>

ColdFusion<html><head><title>Using CFML</title></head><body><CFLOCATION URL="www.isecom.org"

ADDTOKEN="NO"></body></html>

VBScript<html><body><script type="text/vbscript">document.write ("<h1>Hello Security

Testers!</h1>")document.write ("Date Activated: " & date())</script></body></html>

JavaScript <html> <head> <script type="text/javascript"> function chastise_user() { alert("So, you like breaking rules?") document.getElementById("cmdButton").focus() } </script> </head> <body> <h3>"If you are a Security Tester, please do not click the command button

below!"</h3> <form> <input type="button" value="Don't Click!" name="cmdButton"

onClick="chastise_user()" /> </form>

Connecting to DatabasesOpen Database Connectivity

Object Linking and Embedding Database

ActiveX Data Objects

Open Database Connectivity (ODBC) The ODBC interface allows an application to access

data stored in a database management system (DBMS).

Established Interoperability between back-end DBMSs and applicationsA standardized representation for data typesA library of ODBC function calls that allow an

application to connect to a DBMS, run SQL statements, and retrieve the results

A standard method of connecting to and logging on to a DBMS

Object Linking and Embedding Database (OLE DB)

A set of interfaces that enable applications to access data stored in a DBMS.

faster, more efficient, and more stable than its predecessor, ODBC.

OLE DB relies on connection strings that allow the application to access data stored on an external device.

Depending on the data source you’re connecting to, you might use a different provider.

For example, connecting to an SQL database requires using SQLOLEDB as the provider instead of Microsoft.Jet.

Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Personnel.mdb; User ID=; Password=;

OLE DB provider Description in connection string

Microsoft Active Directory Service Provider=ADSDSOOBJECT

Advantage Provider=Advantage OLE DB Provider

AS/400 (from IBM) Provider=IBMDA400

AS/400 and VSAM (from Microsoft) Provider=SNAOLEDB

MS Commerce Server Provider=Commerce.DSO.1

DB2 Provider=DB2OLEDB

Microsoft Jet Provider=Microsoft.Jet.OLEDB.4.0

MS Exchange Provider=EXOLEDB.DataSource

MySQL Provider=MySQLProv

Oracle (from Microsoft) Provider=msdaora

Oracle (from Oracle) Provider=OraOLEDB.Oracle

MS SQL Server Provider=SQLOLEDB

ActiveX Data Objects (ADO) A programming interface for connecting a Web

application to a database. To access a database from an ASP Web page, you

follow these general steps:Create an ADO connection to the database you

want to access.Open the database connection you created in Step

1.Create an ADO recordset, which contains rows from

the table you’re accessing.Open the recordset.Select the data you need from the recordset, based

on particular criteria.Close the recordset and the database connection.

Cross-site scripting (XSS) A Web browser might carry out code sent

from a Web site. Attackers can use a Web application to run a script on the Web browser of the system they’re attacking.

XSS is one of the easiest types of attacks to perform, which also makes it one of the most common; attackers simply save the form to their local computers and change the form field values.

This type of attack is also one of the easiest to protect against by making sure that any “post” action is coming from your Web site.

index.php?name=guest<script>alert('attacked')</script>

Injection flaws Many Web applications pass parameters when

accessing an external system. A Web application that accesses a database

server needs to pass logon information to the database server.

An attacker can embed malicious code and run a program on the database server or send malicious code in an HTTP request.

Basically, the attacker is tricking the Web application into running malware or making unauthorized changes to data.

Malicious file execution Some Web applications allow users to

reference or upload files containing malware.

If these references or files aren’t checked before the Web application executes them, they can give attackers complete control of the system.

Unsecured direct object reference

This vulnerability occurs when information returned via the URL to a user’s Web browser contains information (references) about files, directories, or database records.

By simply changing the information in the URL, attackers can gain unauthorized access to information.

Information leakage and incorrect error handling If an error occurs during normal operations

and isn’t handled correctly, information sent to users might reveal information attackers can use.

For example, attackers can take advantage of error messages that reveal what was executed on the stack or indicate what Web software is used.

Unsecured cryptographic storage Storing keys, certificates, and passwords on a

Web server can be dangerous. If an attacker can gain access to these mechanisms, the server is vulnerable to attack. To decrease the chances of a compromise, don’t store confidential data, such as customers’ credit card numbers, on your Web server. Instead, require that confidential data be entered each time users visit the Web site.

Unsecured communication Connections between the Web browser and

the Web application should be encrypted to protect information as it travels across the Internet. Web applications need to encrypt not only the session to the Web browser, but also sessions to any other servers, such as back-end databases. This vulnerability occurs when sessions are left unencrypted.

Failure to restrict URL access This vulnerability occurs when developers

don’t use adequate access controls for URLs. Instead, they rely on a “security through obscurity” model, which depends on users simply not being aware of the location of critical files and directories.

Canonicalization (dot-dot-slash) AttacksIIS didn’t correctly parse the URL information

users entered, which allowed attackers to launch a Unicode exploit.

For example, if a user entered the /../.. sequence of characters in a URL, IIS indicated an error.

To bypass this check in IIS, attackers substituted the Unicode equivalent of ../: ..%255c.

http://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c

Sql InjectionsSELECT * FROM customer WHERE tblusername = 'bob'

AND tblpassword = 'password'

' OR 1=1 –

SELECT * FROM customer WHERE tblusername = '' OR 1=1 -- ' AND tblpassword = '‘

Because 1=1 is always true, the query is carried out successfully. Double hyphens (--) are used in SQL to indicate a comment.

' OR "=“ for both

SELECT * FROM customer WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="

Cgiscan: A CGI Scanning ToolA tool for searching Web sites for CGI scripts

that can be exploited.

Cgiscan, a C program that must be compiled, is included here as an example of a security tool written in C.

Tests for new CGI vulnerabilities can be included by adding code and then recompiling.

WapitiIt inspects a Web site by searching from the

outside for ways to take advantage of XSS, SQL, PHP, JSP, and file-handling vulnerabilities.

Can detect common forms that allow uploads or command injection, it uses what’s called “fuzzing”—trying to inject data into whatever will accept it. In this way, even new vulnerabilities can be discovered.

WfetchA GUI tool that can be downloaded free from

Microsoft and is included in the IIS Resource Kit.