ethical hacking chapter 10 - exploiting web servers - eric vanderburg
DESCRIPTION
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgTRANSCRIPT
Ethical HackingCHAPTER 10 – EXPLOITING WEB SERVERSERIC VANDERBURG
2Objectives Describe Web applications Explain Web application vulnerabilities Describe the tools used to attack Web servers
3Understanding Web Applications
It is nearly impossible to write a program without bugs Some bugs create security vulnerabilities
Web applications also have bugs Web applications have a larger user base than standalone
applications Bugs are a bigger problem for Web applications
4Web Application Components Static Web pages
Created using HTML Dynamic Web pages
Need special components <form> tags Common Gateway Interface (CGI) Active Server Pages (ASP) PHP ColdFusion Scripting languages Database connectors
5Web Forms
Use the <form> element or tag in an HTML document Allows customer to submit information to the Web server
Web servers process information from a Web form by using a Web application
Easy way for attackers to intercept data that users submit to a Web server
6Web Forms (continued)
Web form example<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
7Common Gateway Interface (CGI)
Handles moving data from a Web server to a Web browser The majority of dynamic Web pages are created with CGI
and scripting languages Describes how a Web server passes data to a Web browser
Relies on Perl or another scripting language to create dynamic Web pages
CGI programs can be written in different programming and scripting languages
8Common Gateway Interface (CGI) (continued)
CGI example Written in Perl Hello.pl Should be placed in the cgi-bin directory on the Web server#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
9Active Server Pages (ASP)
With ASP, developers can display HTML documents to users on the fly Main difference from pure HTML pages When a user requests a Web page, one is created at that time
ASP uses scripting languages such as JScript or VBScript Not all Web servers support ASP
10Active Server Pages (ASP) (continued)
ASP example<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML> Microsoft does not want users to be able to view an ASP Web
page’s source code This can create serious security problems
11Apache Web Server
Tomcat Apache is another Web Server program Tomcat Apache hosts anywhere from 50% to 60% of all Web
sites Advantages
Works on just about any *NIX and Windows platform It is free
Requires Java 2 Standard Runtime Environment (J2SE, version 5.0)
12Using Scripting Languages
Dynamic Web pages can be developed using scripting languages VBScript JavaScript PHP
13PHP: Hypertext Processor (PHP)
Enables Web developers to create dynamic Web pages Similar to ASP
Open-source server-side scripting language Can be embedded in an HTML Web page using PHP tags <?php
and ?> Users cannot see PHP code on their Web browser Used primarily on UNIX systems
Also supported on Macintosh and Microsoft platforms
14PHP: Hypertext Processor (PHP) (continued)
PHP example<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html> As a security tester you should look for PHP vulnerabilities
15ColdFusion
Server-side scripting language used to develop dynamic Web pages
Created by the Allaire Corporation Uses its own proprietary tags written in ColdFusion Markup
Language (CFML) CFML Web applications can contain other technologies, such
as HTML or JavaScript
16ColdFusion (continued)
CFML example<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">
</body>
</html> CFML is not exempt of vulnerabilities
17VBScript
Visual Basic Script is a scripting language developed by Microsoft
Converts static Web pages into dynamic Web pages Takes advantage of the power of a full programming language
VBScript is also prone to security vulnerabilities Check the Microsoft Security Bulletin for information about
VBScript vulnerabilities
18VBScript (continued)
VBScript example<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
19JavaScript
Popular scripting language JavaScript also has the power of a programming language
Branching Looping Testing
Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers
20JavaScript (continued) JavaScript example<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command
button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>
21Connecting to Databases
Web pages can display information stored on databases There are several technologies used to connect databases with
Web applications Technology depends on the OS used
ODBC OLE DB ADO
Theory is the same
22Open Database Connectivity (ODBC)
Standard database access method developed by the SQL Access Group
ODBC interface allows an application to access Data stored in a database management system Any system that understands and can issue ODBC commands
Interoperability among back-end DBMS is a key feature of the ODBC interface
23Open Database Connectivity (ODBC) (continued)
ODBC defines Standardized representation of data types A library of ODBC functions Standard methods of connecting to and logging on to a DBMS
24Object Linking and Embedding Database (OLE DB)
OLE DB is a set of interfaces Enables applications to access data stored in a DBMS
Developed by Microsoft Designed to be faster, more efficient, and more stable than ODBC
OLE DB relies on connection strings Different providers can be used with OLE DB depending on the
DBMS to which you want to connect
25ActiveX Data Objects (ADO) ActiveX defines a set of technologies that allow desktop
applications to interact with the Web ADO is a programming interface that allows Web
applications to access databases Steps for accessing a database from a Web page
Create an ADO connection Open the database connection you just created Create an ADO recordset Open the recordset Select the data you need Close the recordset and the connection
26Understanding Web Application Vulnerabilities
Many platforms and programming languages can be used to design a Web site
Application security is as important as network security Attackers controlling a Web server can
Deface the Web site Destroy or steal company’s data Gain control of user accounts Perform secondary attacks from the Web site Gain root access to other applications or servers
27Application Vulnerabilities Countermeasures
Open Web Application Security Project (OWASP) Open, not-for-profit organization dedicated to finding and fighting
vulnerabilities in Web applications Publishes the Ten Most Critical Web Application Security
Vulnerabilities Top-10 Web application vulnerabilities
Unvalidated parameters HTTP requests are not validated by the Web server
Broken access control Developers implement access controls but fail to test them properly
28Application Vulnerabilities Countermeasures (continued)
Top-10 Web application vulnerabilities (continued) Broken account and session management
Enables attackers to compromise passwords or session cookies to gain access to accounts
Cross-site scripting (XSS) flaws Attacker can use a Web application to run a script on the Web browser of
the system he or she is attacking Buffer overflows
It is possible for an attacker to use C or C++ code that includes a buffer overflow
29Application Vulnerabilities Countermeasures (continued)
Top-10 Web application vulnerabilities (continued) Command injection flaws
An attacker can embed malicious code and run a program on the database server
Error-handling problems Error information sent to the user might reveal information that an
attacker can use Insecure use of cryptography
Storing keys, certificates, and passwords on a Web server can be dangerous
30Application Vulnerabilities Countermeasures (continued)
Top-10 Web application vulnerabilities (continued) Remote administration flaws
Attacker can gain access to the Web server through the remote administration interface
Web and application server misconfiguration Any Web server software out of the box is usually vulnerable to attack
Default accounts and passwords Overly informative error messages
31Application Vulnerabilities Countermeasures (continued)
WebGoat project Helps security testers learn how to perform vulnerabilities testing on
Web applications Developed by OWASP
WebGoat can be used to Reveal HTML or Java code and any cookies or parameters used Hack a logon name and password
32Application Vulnerabilities Countermeasures (continued)
WebGoat can be used to Traverse a file system on a Windows XP computer running Apache WebGoat’s big challenge
Defeat an authentication mechanism Steal credit cards from a database Deface a Web site
33Assessing Web Applications
Security testers should look for answers to some important questions Does the Web application use dynamic Web pages? Does the Web application connect to a backend database server? Does the Web application require authentication of the user? On what platform was the Web application developed?
34Does the Web Application Use Dynamic Web Pages?
Static Web pages do not create a security environment IIS attack example
Submitting a specially formatted URL to the attacked Web server IIS does not correctly parse the URL information
Attackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c
Attacker can even install a Trojan program
35Does the Web Application Connect to a Backend Database Server? Security testers should check for the possibility of SQL injection
being used to attack the system SQL injection involves the attacker supplying SQL commands on
a Web application field SQL injection examplesSELECT * FROM customer
WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '
orSELECT * FROM customer
WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="
36Does the Web Application Connect to a Backend Database Server? (continued) Basic testing should look for
Whether you can enter text with punctuation marks Whether you can enter a single quotation mark followed by
any SQL keywords Whether you can get any sort of database error when
attempting to inject SQL
37Does the Web Application Require Authentication of the User?
Many Web applications require another server authenticate users Examine how information is passed between the two servers
Encrypted channels Verify that logon and password information is stored on secure
places Authentication servers introduce a second target
38On What Platform Was the Web Application Developed?
Several different platforms and technologies can be used to develop Web applications
Attacks differ depending on the platform and technology used to develop the application Footprinting is used to find out as much information as possible
about a target system The more you know about a system the easier it is to gather
information about its vulnerabilities
39Tools of Web Attackers and Security Testers
Choose the right tools for the job Attackers look for tools that enable them to attack the system
They choose their tools based on the vulnerabilities found on a target system or application
40Web Tools
Cgiscan.c: CGI scanning tool Written in C in 1999 by Bronc Buster Tool for searching Web sites for CGI scripts that can be exploited One of the best tools for scanning the Web for systems with CGI
vulnerabilities
41Web Tools (continued)
Phfscan.c Written to scan Web sites looking for hosts that could be exploited by
the PHF bug The PHF bug enables an attacker to download the victim’s
/etc/passwd file It also allows attackers to run programs on the victim’s Web server
by using a particular URL
42Web Tools (continued) Wfetch: GUI tool
This tool queries the status of a Web server It also attempts authentication using
Multiple HTTP methods Configuration of host name and TCP port HTTP 1.0 and HTTP 1.1 support Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation
authentication types Multiple connection types Proxy support Client-certificate support
43Summary Web applications can be developed on many platforms HTML pages can contain
Forms ASP CGI Scripting languages
Static pages have been replaced by dynamic pages Dynamic Web pages can be created using CGI, ASP, and JSP
44Summary (continued) Web forms allows developers to create Web pages with which
visitors can interact Web applications use a variety of technologies to connect to
databases ODBC OLE DB ADO
Security tests should check Whether the application connects to a database If the user is authenticated through a different server
45Summary (continued) Many tools are available for security testers
Cgiscan Wfetch OWASP open-source software
Web applications that connect to databases might be vulnerable to SQL injection
There are many free tools for attacking Web servers available in the Internet