Hands-On Ethical Hacking and Network Defense Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense

Chapter 10Hacking Web Servers

Hands-On Ethical Hacking and Network Defense 2

Objectives

• Describe Web applications

• Explain Web application vulnerabilities

• Describe the tools used to attack Web servers


Understanding Web Applications

• It is nearly impossible to write a program without bugs– Some bugs create security vulnerabilities

• Web applications also have bugs– Web applications have a larger user base than

standalone applications– Bugs are a bigger problem for Web applications


Web Application Components

• Static Web pages– Created using HTML

• Dynamic Web pages– Need special components

• <form> tags• Common Gateway Interface (CGI)• Active Server Pages (ASP)• PHP• ColdFusion• Scripting languages• Database connectors


Web Forms

• Use the <form> element or tag in an HTML document– Allows customer to submit information to the Web

server

• Web servers process information from a Web form by using a Web application

• Easy way for attackers to intercept data that users submit to a Web server


Web Forms (continued)

• Web form example<html>

<body>

<form>

Enter your username:

<input type="text" name="username">

<br>

Enter your password:

<input type="text" name="password">

</form></body></html>



Common Gateway Interface (CGI)

• Handles moving data from a Web server to a Web browser

• The majority of dynamic Web pages are created with CGI and scripting languages

• Describes how a Web server passes data to a Web browser– Relies on Perl or another scripting language to create

dynamic Web pages

• CGI programs can be written in different programming and scripting languages


Common Gateway Interface (CGI) (continued)

• CGI example– Written in Perl– Hello.pl– Should be placed in the cgi-bin directory on the Web

server#!/usr/bin/perl

print "Content-type: text/html\n\n";

print "Hello Security Testers!";


Active Server Pages (ASP)

• With ASP, developers can display HTML documents to users on the fly– Main difference from pure HTML pages– When a user requests a Web page, one is created at

that time

• ASP uses scripting languages such as JScript or VBScript

• Not all Web servers support ASP



Active Server Pages (ASP) (continued)

• ASP example<HTML>

<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>

<BODY>

<H1>Hello, security professionals</H1>

The time is <% = Time %>.

</BODY>

</HTML>

• Microsoft does not want users to be able to view an ASP Web page’s source code– This can create serious security problems


Apache Web Server

• Tomcat Apache is another Web Server program

• Tomcat Apache hosts anywhere from 50% to 60% of all Web sites

• Advantages– Works on just about any *NIX and Windows platform– It is free

• Requires Java 2 Standard Runtime Environment (J2SE, version 5.0)




Using Scripting Languages

• Dynamic Web pages can be developed using scripting languages– VBScript– JavaScript– PHP


PHP: Hypertext Processor (PHP)

• Enables Web developers to create dynamic Web pages– Similar to ASP

• Open-source server-side scripting language– Can be embedded in an HTML Web page using PHP

tags <?php and ?>

• Users cannot see PHP code on their Web browser

• Used primarily on UNIX systems– Also supported on Macintosh and Microsoft platforms


PHP: Hypertext Processor (PHP) (continued)

• PHP example<html>

<head>

<title>My First PHP Program </title>

</head>

<body>

<?php echo '<h1>Hello, Security Testers!</h1>'; ?>

</body>

</html>

• As a security tester you should look for PHP vulnerabilities


ColdFusion

• Server-side scripting language used to develop dynamic Web pages

• Created by the Allaire Corporation

• Uses its own proprietary tags written in ColdFusion Markup Language (CFML)

• CFML Web applications can contain other technologies, such as HTML or JavaScript


ColdFusion (continued)

• CFML example<html>

<head>

<title>Using CFML</title>

</head>

<body>

<CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">

</body>

</html>

• CFML is not exempt of vulnerabilities


VBScript

• Visual Basic Script is a scripting language developed by Microsoft

• Converts static Web pages into dynamic Web pages– Takes advantage of the power of a full programming

language

• VBScript is also prone to security vulnerabilities– Check the Microsoft Security Bulletin for information

about VBScript vulnerabilities


VBScript (continued)

• VBScript example<html>

<body>

<script type="text/vbscript">

document.write("<h1>Hello Security Testers!</h1>")

document.write("Date Activated: " & date())

</script>

</body>

</html>



JavaScript

• Popular scripting language

• JavaScript also has the power of a programming language– Branching– Looping– Testing

• Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers


JavaScript (continued)

• JavaScript example<html>

<head>

<script type="text/javascript">

function chastise_user()

{

alert("So, you like breaking rules?")

document.getElementByld("cmdButton").focus()

}

</script>

</head>

<body>

<h3>"If you are a Security Tester, please do not click the command

button below!"</h3>

<form>

<input type="button" value="Don't Click!" name="cmdButton"

onClick="chastise_user()" />

</form>

</body>

</html>




Connecting to Databases

• Web pages can display information stored on databases

• There are several technologies used to connect databases with Web applications– Technology depends on the OS used

• ODBC

• OLE DB

• ADO

– Theory is the same


Open Database Connectivity (ODBC)

• Standard database access method developed by the SQL Access Group

• ODBC interface allows an application to access– Data stored in a database management system– Any system that understands and can issue ODBC

commands

• Interoperability among back-end DBMS is a key feature of the ODBC interface


Open Database Connectivity (ODBC) (continued)

• ODBC defines– Standardized representation of data types– A library of ODBC functions– Standard methods of connecting to and logging on to

a DBMS


Object Linking and Embedding Database (OLE DB)

• OLE DB is a set of interfaces– Enables applications to access data stored in a

DBMS

• Developed by Microsoft– Designed to be faster, more efficient, and more

stable than ODBC

• OLE DB relies on connection strings

• Different providers can be used with OLE DB depending on the DBMS to which you want to connect



ActiveX Data Objects (ADO)• ActiveX defines a set of technologies that allow

desktop applications to interact with the Web• ADO is a programming interface that allows Web

applications to access databases• Steps for accessing a database from a Web page

– Create an ADO connection– Open the database connection you just created– Create an ADO recordset– Open the recordset– Select the data you need– Close the recordset and the connection


Understanding Web Application Vulnerabilities

• Many platforms and programming languages can be used to design a Web site

• Application security is as important as network security

• Attackers controlling a Web server can– Deface the Web site– Destroy or steal company’s data– Gain control of user accounts– Perform secondary attacks from the Web site– Gain root access to other applications or servers


Application Vulnerabilities Countermeasures

• Open Web Application Security Project (OWASP)– Open, not-for-profit organization dedicated to finding

and fighting vulnerabilities in Web applications– Publishes the Ten Most Critical Web Application

Security Vulnerabilities

• Top-10 Web application vulnerabilities– Unvalidated parameters

• HTTP requests are not validated by the Web server

– Broken access control• Developers implement access controls but fail to test

them properly


Application Vulnerabilities Countermeasures (continued)

• Top-10 Web application vulnerabilities (continued)– Broken account and session management

• Enables attackers to compromise passwords or session cookies to gain access to accounts

– Cross-site scripting (XSS) flaws• Attacker can use a Web application to run a script on

the Web browser of the system he or she is attacking

– Buffer overflows• It is possible for an attacker to use C or C++ code that

includes a buffer overflow



• Top-10 Web application vulnerabilities (continued)– Command injection flaws

• An attacker can embed malicious code and run a program on the database server

– Error-handling problems• Error information sent to the user might reveal

information that an attacker can use

– Insecure use of cryptography• Storing keys, certificates, and passwords on a Web

server can be dangerous



• Top-10 Web application vulnerabilities (continued)– Remote administration flaws

• Attacker can gain access to the Web server through the remote administration interface

– Web and application server misconfiguration• Any Web server software out of the box is usually

vulnerable to attack

– Default accounts and passwords

– Overly informative error messages



• WebGoat project– Helps security testers learn how to perform

vulnerabilities testing on Web applications– Developed by OWASP

• WebGoat can be used to– Reveal HTML or Java code and any cookies or

parameters used– Hack a logon name and password





• WebGoat can be used to– Traverse a file system on a Windows XP computer

running Apache– WebGoat’s big challenge

• Defeat an authentication mechanism

• Steal credit cards from a database

• Deface a Web site





Assessing Web Applications

• Security testers should look for answers to some important questions– Does the Web application use dynamic Web pages?– Does the Web application connect to a backend

database server?– Does the Web application require authentication of

the user?– On what platform was the Web application

developed?


Does the Web Application Use Dynamic Web Pages?

• Static Web pages do not create a security environment

• IIS attack example– Submitting a specially formatted URL to the attacked

Web server

• IIS does not correctly parse the URL information– Attackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c

– Attacker can even install a Trojan program


Does the Web Application Connect to a Backend Database Server?

• Security testers should check for the possibility of SQL injection being used to attack the system

• SQL injection involves the attacker supplying SQL commands on a Web application field

• SQL injection examplesSELECT * FROM customer

WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '

orSELECT * FROM customer

WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="


Does the Web Application Connect to a Backend Database Server?

(continued)• Basic testing should look for

– Whether you can enter text with punctuation marks– Whether you can enter a single quotation mark

followed by any SQL keywords– Whether you can get any sort of database error

when attempting to inject SQL


Does the Web Application Require Authentication of the User?

• Many Web applications require another server authenticate users

• Examine how information is passed between the two servers– Encrypted channels

• Verify that logon and password information is stored on secure places

• Authentication servers introduce a second target


On What Platform Was the Web Application Developed?

• Several different platforms and technologies can be used to develop Web applications

• Attacks differ depending on the platform and technology used to develop the application– Footprinting is used to find out as much information

as possible about a target system– The more you know about a system the easier it is to

gather information about its vulnerabilities


Tools of Web Attackers and Security Testers

• Choose the right tools for the job

• Attackers look for tools that enable them to attack the system– They choose their tools based on the vulnerabilities

found on a target system or application


Web Tools

• Cgiscan.c: CGI scanning tool– Written in C in 1999 by Bronc Buster– Tool for searching Web sites for CGI scripts that can

be exploited– One of the best tools for scanning the Web for

systems with CGI vulnerabilities



Web Tools (continued)

• Phfscan.c– Written to scan Web sites looking for hosts that

could be exploited by the PHF bug– The PHF bug enables an attacker to download the

victim’s /etc/passwd file– It also allows attackers to run programs on the

victim’s Web server by using a particular URL


Web Tools (continued)

• Wfetch: GUI tool– This tool queries the status of a Web server– It also attempts authentication using

• Multiple HTTP methods

• Configuration of host name and TCP port

• HTTP 1.0 and HTTP 1.1 support

• Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types

• Multiple connection types

• Proxy support

• Client-certificate support



Summary

• Web applications can be developed on many platforms

• HTML pages can contain– Forms– ASP– CGI– Scripting languages

• Static pages have been replaced by dynamic pages

• Dynamic Web pages can be created using CGI, ASP, and JSP


Summary (continued)

• Web forms allows developers to create Web pages with which visitors can interact

• Web applications use a variety of technologies to connect to databases– ODBC– OLE DB– ADO

• Security tests should check– Whether the application connects to a database– If the user is authenticated through a different server


Summary (continued)

• Many tools are available for security testers– Cgiscan– Wfetch– OWASP open-source software

• Web applications that connect to databases might be vulnerable to SQL injection

• There are many free tools for attacking Web servers available in the Internet

Documents

Hands-On Ethical Hacking and Network Defense Chapter 10 Hacking Web Servers