Embed Size (px)
Citation preview
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense22ndnd Edition Edition
Chapter 10Chapter 10Hacking Web ServersHacking Web Servers
Revised 10-19-10
ObjectivesObjectives
Describe Web applicationsDescribe Web applications
Explain Web application vulnerabilitiesExplain Web application vulnerabilities
Describe the tools used to attack Web Describe the tools used to attack Web serversservers
Client’s Browser
Internet Explorer
or Firefox
Web Server
IIS or Apache
HT
TP
HT
TP
S
Web ServersWeb Servers
The two main Web servers are Apache The two main Web servers are Apache (Open source) and IIS (Microsoft)(Open source) and IIS (Microsoft)
Image from netcraft.com (link Ch 10c)Image from netcraft.com (link Ch 10c)
Understanding Web Understanding Web ApplicationsApplications
It is nearly impossible to write a program It is nearly impossible to write a program without bugswithout bugs Some bugs create security vulnerabilitiesSome bugs create security vulnerabilities
Web applications also have bugsWeb applications also have bugs Web applications have a larger user base Web applications have a larger user base
than standalone applicationsthan standalone applications Bugs are a bigger problem for Web Bugs are a bigger problem for Web
applicationsapplications
Web Application ComponentsWeb Application ComponentsStatic Web pagesStatic Web pages Created using HTMLCreated using HTML
Dynamic Web pagesDynamic Web pages Need special componentsNeed special components
<form> tags<form> tags
Common Gateway Interface (CGI) scriptsCommon Gateway Interface (CGI) scripts
Active Server Pages (ASP)Active Server Pages (ASP)
PHPPHP
ColdFusionColdFusion
Scripting languages like JavaScriptScripting languages like JavaScript
ODBC (Open Database connector)ODBC (Open Database connector)
Web FormsWeb Forms
Use the <form> element or tag in an HTML Use the <form> element or tag in an HTML documentdocument Allows customer to submit information to the Allows customer to submit information to the
Web serverWeb server
Web servers process information from a Web servers process information from a Web form by using a Web applicationWeb form by using a Web application
Easy way for attackers to intercept data Easy way for attackers to intercept data that users submit to a Web serverthat users submit to a Web server
Web Forms (continued)Web Forms (continued)
Web form exampleWeb form example<html><body><html><body>
<form><form>
Enter your username:Enter your username:
<input type="text" name="username"><input type="text" name="username">
<br><br>
Enter your password:Enter your password:
<input type="text" name="password"><input type="text" name="password">
</form></body></html></form></body></html>
Client’s Browser
HTML Forms
JavaScript
Web Server
CGI Scripts
HT
TP
HT
TP
S
Common Gateway Interface Common Gateway Interface (CGI)(CGI)
Handles moving data from a Web server Handles moving data from a Web server to a Web browserto a Web browser
The majority of dynamic Web pages are The majority of dynamic Web pages are created with CGI and scripting languagescreated with CGI and scripting languages
Describes how a Web server passes Describes how a Web server passes data to a Web browserdata to a Web browser Relies on Perl or another scripting language Relies on Perl or another scripting language
to create dynamic Web pagesto create dynamic Web pages
CGI LanguagesCGI Languages
CGI programs can be written in different CGI programs can be written in different programming and scripting languagesprogramming and scripting languages C or C++C or C++ PerlPerl Unix shell scriptingUnix shell scripting Visual BasicVisual Basic FORTRANFORTRAN
Common Gateway Interface Common Gateway Interface (CGI) (continued)(CGI) (continued)
CGI exampleCGI example Written in PerlWritten in Perl Hello.plHello.pl Should be placed in the Should be placed in the cgi-bincgi-bin directory on directory on
the Web serverthe Web server#!/usr/bin/perl#!/usr/bin/perl
print "Content-type: text/html\n\n";print "Content-type: text/html\n\n";
print "Hello Security Testers!";print "Hello Security Testers!";
Another CGI ExampleAnother CGI Example
Link Ch 10a: Sam’s Feedback FormLink Ch 10a: Sam’s Feedback Form
Link Ch 10b alternate (at bottom of page): Link Ch 10b alternate (at bottom of page): CGI Script in Perl that processes the data CGI Script in Perl that processes the data from the formfrom the form
Active Server Pages (ASP)Active Server Pages (ASP)
Microsoft’s server-side script engineMicrosoft’s server-side script engine HTML pages are static—always the sameHTML pages are static—always the same ASP creates HTML pages as needed. They ASP creates HTML pages as needed. They
are not staticare not static
ASP uses scripting languages such as ASP uses scripting languages such as JScript or VBScriptJScript or VBScriptNot all Web servers support ASPNot all Web servers support ASP IIS supports ASPIIS supports ASP Apache doesn’t support ASP as wellApache doesn’t support ASP as well
Active Server Pages (ASP)Active Server Pages (ASP)You can’t see You can’t see the source of the source of an ASP page an ASP page from a from a browserbrowserThis makes it This makes it harder to hack harder to hack into, although into, although not impossiblenot impossible
ASP examples ASP examples at links at links Ch 10d, e, fCh 10d, e, f
Apache Web ServerApache Web Server
Apache is the most popular Web Server Apache is the most popular Web Server programprogram
AdvantagesAdvantages Stable and reliableStable and reliable Works on just about any *NIX and Windows Works on just about any *NIX and Windows
platformplatform It is free and open sourceIt is free and open source
See links Ch 10g, 10hSee links Ch 10g, 10h
Using Scripting LanguagesUsing Scripting Languages
Dynamic Web pages can be developed Dynamic Web pages can be developed using scripting languagesusing scripting languages VBScriptVBScript JavaScriptJavaScript PHPPHP
PHP: Hypertext Processor (PHP)PHP: Hypertext Processor (PHP)
Enables Web developers to create dynamic Web Enables Web developers to create dynamic Web pagespages Similar to ASPSimilar to ASP
Open-source server-side scripting languageOpen-source server-side scripting language Can be embedded in an HTML Web page using PHP Can be embedded in an HTML Web page using PHP
tags <?php and ?>tags <?php and ?>Users cannot see PHP code in their Web browserUsers cannot see PHP code in their Web browser
Used primarily on UNIX systemsUsed primarily on UNIX systems Also supported on Macintosh and Microsoft platformsAlso supported on Macintosh and Microsoft platforms
PHP ExamplePHP Example
<html><head><title>Example</title></head><html><head><title>Example</title></head>
<body><body>
<?php<?php
echo 'Hello, World!';echo 'Hello, World!';
?>?>
</body></html></body></html> See links Ch 10k, 10lSee links Ch 10k, 10l
PHP has known vulnerabilitiesPHP has known vulnerabilities See links Ch 10m, 10nSee links Ch 10m, 10n
PHP is often used with MySQL DatabasesPHP is often used with MySQL Databases
ColdFusionColdFusion
Server-side scripting language used to Server-side scripting language used to develop dynamic Web pagesdevelop dynamic Web pagesCreated by the Allaire CorporationCreated by the Allaire Corporation Purchased by Macromedia, now owned by Purchased by Macromedia, now owned by
Adobe -- ExpensiveAdobe -- Expensive
Uses its own proprietary tags written in Uses its own proprietary tags written in ColdFusion Markup Language (CFML)ColdFusion Markup Language (CFML)CFML Web applications can contain other CFML Web applications can contain other technologies, such as HTML or JavaScripttechnologies, such as HTML or JavaScript
ColdFusion ExampleColdFusion Example
<html><head><title>Ex</title></head><html><head><title>Ex</title></head>
<body><body>
<CFLOCATION <CFLOCATION URL="www.isecom.org/cf/index.htm" URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">ADDTOKEN="NO">
</body></body>
</html></html> See links Ch 10oSee links Ch 10o
ColdFusion VulnerabilitiesColdFusion Vulnerabilities
See links Ch 10p, 10qSee links Ch 10p, 10q
VBScriptVBScript
Visual Basic Script is a scripting language Visual Basic Script is a scripting language developed by Microsoftdeveloped by Microsoft
You can insert VBScript commands into a You can insert VBScript commands into a static HTML page to make it dynamicstatic HTML page to make it dynamic Provides the power of a full programming Provides the power of a full programming
languagelanguage Executed by the client’s browserExecuted by the client’s browser
VBScript ExampleVBScript Example
<html><body><html><body><script type="text/vbscript"><script type="text/vbscript">document.write("<h1>Hello!</h1>")document.write("<h1>Hello!</h1>")document.write("Date Activated: " & document.write("Date Activated: " & date())date())
</script></script></body></html></body></html>
See link Ch 10r – works in IE, but not in FirefoxSee link Ch 10r – works in IE, but not in FirefoxFirefox does not support VBScript (link Ch 10s)Firefox does not support VBScript (link Ch 10s)
VBScript vulnerabilitiesVBScript vulnerabilities
See links Ch 10t, 10uSee links Ch 10t, 10u
JavaScriptJavaScript
Popular scripting languagePopular scripting language
JavaScript also has the power of a JavaScript also has the power of a programming languageprogramming language BranchingBranching LoopingLooping TestingTesting
JavaScript ExampleJavaScript Example<html><head><html><head><script type="text/javascript"><script type="text/javascript">function chastise_user(){function chastise_user(){alert("So, you like breaking rules?")alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus(document.getElementByld("cmdButton").focus()})}
</script></head></script></head><body><h3>Don't click the button!</h3><body><h3>Don't click the button!</h3><form><form><input type="button" value="Don't Click!" <input type="button" value="Don't Click!" name="cmdButton" name="cmdButton" onClick="chastise_user()" />onClick="chastise_user()" />
</form></body></html></form></body></html> See link Ch 10v – works in IE and FirefoxSee link Ch 10v – works in IE and Firefox
JavaScript VulnerabilitiesJavaScript Vulnerabilities
See link Ch 10wSee link Ch 10w
iClicker Questions
What is the most popular Web server?A. ApacheB. Internet ExplorerC. FirefoxD. IISE. None of the above
1 of 4
What language uses tags like the example shown below? <% =time() %>
A. HTMLB. ColdFusionC. JavaScriptD. PHPE. ASP
2 of 4
Which language is a proprietary server-side scripting language developed by Microsoft?
A. HTMLB. ColdFusionC. JavaScriptD. PHPE. ASP
3 of 4
What language is typically used to make a login form like this?
A. PHPB. PerlC. VBScriptD. ASPE. HTML
4 of 4
Client’s Browser
HT
TP
or HT
TP
S
Web Server
Apache or IIS
HTML Forms
CGI Scripts
Database
SQL Server or
Oracle or
MySQL
ODBC or
OLE DB
Or ADO
Connecting to DatabasesConnecting to Databases
Web pages can display information stored Web pages can display information stored on databaseson databases
There are several technologies used to There are several technologies used to connect databases with Web applicationsconnect databases with Web applications Technology depends on the OS usedTechnology depends on the OS used
ODBCODBC
OLE DBOLE DB
ADOADO Theory is the sameTheory is the same
Open Database Connectivity Open Database Connectivity (ODBC)(ODBC)
Standard database access method developed Standard database access method developed by the SQL Access Groupby the SQL Access Group
ODBC interface allows an application to ODBC interface allows an application to accessaccess Data stored in a database management system Data stored in a database management system
(DBMS)(DBMS) Can use Oracle, SQL, or any DBMS that Can use Oracle, SQL, or any DBMS that
understands and can issue ODBC commandsunderstands and can issue ODBC commands
Interoperability among back-end DBMS is a Interoperability among back-end DBMS is a key feature of the ODBC interfacekey feature of the ODBC interface
Open Database Connectivity Open Database Connectivity (ODBC) (continued)(ODBC) (continued)
ODBC definesODBC defines Standardized representation of data typesStandardized representation of data types A library of ODBC functionsA library of ODBC functions Standard methods of connecting to and Standard methods of connecting to and
logging on to a DBMSlogging on to a DBMS
OLE DB and ADOOLE DB and ADO
Object Linking and Embedding Database Object Linking and Embedding Database (OLE DB) and(OLE DB) and
ActiveX Data Objects (ADO)ActiveX Data Objects (ADO) These two more modern, complex These two more modern, complex
technologies replace ODBC and make technologies replace ODBC and make up"Microsoft’s Universal Data Access“up"Microsoft’s Universal Data Access“
See link Ch 10x See link Ch 10x
Understanding Web Application Understanding Web Application VulnerabilitiesVulnerabilities
Many platforms and programming Many platforms and programming languages can be used to design a Web languages can be used to design a Web sitesite
Application security is as important as Application security is as important as network securitynetwork security
Attackers controlling a Web server Attackers controlling a Web server cancan
Deface the Web siteDeface the Web site Destroy or steal company’s dataDestroy or steal company’s data Gain control of user accountsGain control of user accounts Perform secondary attacks from the Web sitePerform secondary attacks from the Web site Gain root access to other applications or Gain root access to other applications or
serversservers
Open Web Application Security Open Web Application Security Project (OWASP)Project (OWASP)
Open, not-for-profit organization dedicated to Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web finding and fighting vulnerabilities in Web applicationsapplications
Publishes the Ten Most Critical Web Publishes the Ten Most Critical Web Application Security VulnerabilitiesApplication Security Vulnerabilities
Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities
Cross-site scripting (XSS) flawsCross-site scripting (XSS) flaws Attackers inject code into a web page, such as a Attackers inject code into a web page, such as a
forum or guestbookforum or guestbook When others user view the page, confidential When others user view the page, confidential
information is stolen information is stolen See link Ch 10zaSee link Ch 10za
Command injection flawsCommand injection flaws An attacker can embed malicious code and run a An attacker can embed malicious code and run a
program on the database serverprogram on the database server Example: SQL InjectionExample: SQL Injection
Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities
Malicious file executionMalicious file execution Users allowed to upload or run malicious filesUsers allowed to upload or run malicious files
Unsecured Direct Object ReferenceUnsecured Direct Object Reference Information in the URL allows a user to Information in the URL allows a user to
reference files, directories, or recordsreference files, directories, or records
Cross-site Request Forgery (CSRF)Cross-site Request Forgery (CSRF) Stealing an authenticated session, by Stealing an authenticated session, by
replaying a cookie or other tokenreplaying a cookie or other token
Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities
Information Leakage and Incorrect Error Information Leakage and Incorrect Error HandlingHandling Error messages that give away too much Error messages that give away too much
informationinformation
Broken Authentication and Session Broken Authentication and Session ManagementManagement Allow attackers to steal cookies or passwordsAllow attackers to steal cookies or passwords
Top-10 Web application Top-10 Web application vulnerabilitiesvulnerabilities
Unsecured cryptographic StorageUnsecured cryptographic Storage Storing keys, certificates, and passwords on a Web Storing keys, certificates, and passwords on a Web
server can be dangerousserver can be dangerous
Unsecured Communication Unsecured Communication Using HTTP instead of HTTPSUsing HTTP instead of HTTPS
Failure to Restrict URL AccessFailure to Restrict URL Access Security through obscuritySecurity through obscurity Hoping users don't find the "secret" URLsHoping users don't find the "secret" URLs
Cross-Site Scripting (XSS)One client posts active content, with
<script> tags or other programming contentWhen another client reads the messages, the
scripts are executed in his or her browserOne user attacks another user, using the
vulnerable Web application as a weapon
47
<script>alert("XSS vulnerability!")</script><script>alert(document.cookie)</script><script>window.location="http://www.ccsf.edu"</script>
48
XSS Scripting EffectsSteal another user's authentication cookie
Hijack sessionHarvest stored passwords from the target's
browserTake over machine through browser
vulnerabilityRedirect WebpageMany, many other evil things…
49
Application Vulnerabilities Application Vulnerabilities Countermeasures (continued)Countermeasures (continued)WebGoat projectWebGoat project Helps security testers learn how to perform Helps security testers learn how to perform
vulnerabilities testing on Web applicationsvulnerabilities testing on Web applications Developed by OWASPDeveloped by OWASP
It’s excellent, and now has video tutorialsIt’s excellent, and now has video tutorials
Assessing Web ApplicationsAssessing Web Applications
Issues to considerIssues to consider Dynamic Web pagesDynamic Web pages Connection to a backend database serverConnection to a backend database server User authentication User authentication What platform was used? What platform was used?
Does the Web Application Use Does the Web Application Use Dynamic Web Pages?Dynamic Web Pages?
Static Web pages do not create a secure Static Web pages do not create a secure environmentenvironment
IIS attack example: Directory TraversalIIS attack example: Directory Traversal Adding ..\ to a URL refers to a directory above Adding ..\ to a URL refers to a directory above
the Web page directorythe Web page directory Early versions of IIS filtered out \, but not Early versions of IIS filtered out \, but not
%c1%9c, which is a Unicode version of the %c1%9c, which is a Unicode version of the same charactersame character
See link Ch 10 zhSee link Ch 10 zh
Connection to a Backend Connection to a Backend Database ServerDatabase Server
Security testers should check for the Security testers should check for the possibility of SQL injection being used to possibility of SQL injection being used to attack the systemattack the system
SQL injection involves the attacker SQL injection involves the attacker supplying SQL commands on a Web supplying SQL commands on a Web application fieldapplication field
SQL Injection ExampleSQL Injection Example
HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:
SELECT * FROM customerSELECT * FROM customerWHERE username = ‘name' AND password = ‘pw'WHERE username = ‘name' AND password = ‘pw'
If a hacker enters a name of If a hacker enters a name of ’ ’ OR 1=1 --OR 1=1 --
The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = ‘’ OR 1=1 --' AND password WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘= ‘pw‘
Which is always true, and returns all the recordsWhich is always true, and returns all the records
HackThisSiteHackThisSite
Connection to a Backend Connection to a Backend Database ServerDatabase Server
Basic testing should look forBasic testing should look for Whether you can enter text with punctuation Whether you can enter text with punctuation
marksmarks Whether you can enter a single quotation Whether you can enter a single quotation
mark followed by any SQL keywordsmark followed by any SQL keywords Whether you can get any sort of database Whether you can get any sort of database
error when attempting to inject SQLerror when attempting to inject SQL
User AuthenticationUser Authentication
Many Web applications require another Many Web applications require another server to authenticate usersserver to authenticate users
Examine how information is passed Examine how information is passed between the two serversbetween the two servers Encrypted channelsEncrypted channels
Verify that logon and password information Verify that logon and password information is stored on secure placesis stored on secure places
Authentication servers introduce a second Authentication servers introduce a second targettarget
What Platform Was Used?What Platform Was Used?
Popular platforms include:Popular platforms include: IIS with ASP and SQL Server (Microsoft)IIS with ASP and SQL Server (Microsoft) Linux, Apache, MySQL, and PHP (LAMP)Linux, Apache, MySQL, and PHP (LAMP)
Footprinting is used to find out the platformFootprinting is used to find out the platform The more you know about a system the The more you know about a system the
easier it is to gather information about its easier it is to gather information about its vulnerabilitiesvulnerabilities
Tools of Web Attackers and Tools of Web Attackers and Security TestersSecurity Testers
Choose the right tools for the jobChoose the right tools for the job
Attackers look for tools that enable them to Attackers look for tools that enable them to attack the systemattack the system They choose their tools based on the They choose their tools based on the
vulnerabilities found on a target system or vulnerabilities found on a target system or applicationapplication
Web ToolsWeb Tools
Cgiscan.c: CGI scanning toolCgiscan.c: CGI scanning tool Written in C in 1999 by Bronc BusterWritten in C in 1999 by Bronc Buster Tool for searching Web sites for CGI scripts Tool for searching Web sites for CGI scripts
that can be exploitedthat can be exploited One of the best tools for scanning the Web for One of the best tools for scanning the Web for
systems with CGI vulnerabilitiessystems with CGI vulnerabilitiesSee link Ch 10ziSee link Ch 10zi
cgiscan and WebGoatcgiscan and WebGoat
Web Tools (continued)Web Tools (continued)
Web Tools (continued)Web Tools (continued)
Wfetch: GUI tool from MicrosoftWfetch: GUI tool from Microsoft Displays information that is not normally shown in Displays information that is not normally shown in
a browser, such as HTTP headersa browser, such as HTTP headers It also attempts authentication usingIt also attempts authentication using
Multiple HTTP methodsMultiple HTTP methods
Configuration of host name and TCP portConfiguration of host name and TCP port
HTTP 1.0 and HTTP 1.1 supportHTTP 1.0 and HTTP 1.1 support
Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication typesauthentication types
Multiple connection typesMultiple connection types
Proxy supportProxy support
Client-certificate supportClient-certificate support See link Ch 10zlSee link Ch 10zl
iClicker Questions
What attack is this person attempting?
A. Directory TraversalB. SQL InjectionC. XSSD. Man-in-the-MiddleE. Sniffing
1 of 4
What attack is this person attempting?
A. Directory Traversal B. SQL InjectionC. XSSD. Man-in-the-MiddleE. Sniffing
2 of 4
Which language contains statements like the example below?SELECT * FROM customersWHERE username='name' AND password='pw‘
A. HTMLB. JavaScriptC. ODBCD. SQLE. PHP
3 of 4
What attack is being performed below?
A. Directory Traversal B. SQL InjectionC. XSSD. Man-in-the-MiddleE. Sniffing 4 of 4
