Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg

Ethical Hacking
CHAPTER 10 – EXPLOITING WEB SERVERS
ERIC VANDERBURG

Objectives
 Describe Web applications
 Explain Web application vulnerabilities
 Describe the tools used to attack Web servers

Understanding Web
Applications
 It is nearly impossible to write a program without bugs
 Some bugs create security vulnerabilities
 Web applications also have bugs
 Web applications have a larger user base than standalone
applications
 Bugs are a bigger problem for Web applications

Web Application
Components
 Static Web pages
 Created using HTML
 Dynamic Web pages
 Need special components
 <form> tags
 Common Gateway Interface (CGI)
 Active Server Pages (ASP)
 PHP
 ColdFusion
 Scripting languages
 Database connectors

Web Forms
 Use the <form> element or tag in an HTML document
 Allows customer to submit information to the Web server
 Web servers process information from a Web form by using a
Web application
 Easy way for attackers to intercept data that users submit to a
Web server

Web Forms (continued)
 Web form example
<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>

Common Gateway Interface
(CGI)
 Handles moving data from a Web server to a Web browser
 The majority of dynamic Web pages are created with CGI and
scripting languages
 Describes how a Web server passes data to a Web browser
 Relies on Perl or another scripting language to create dynamic
Web pages
 CGI programs can be written in different programming and
scripting languages

Common Gateway Interface
(CGI) (continued)
 CGI example
 Written in Perl
 Hello.pl
 Should be placed in the cgi-bin directory on the Web server
#!/usr/bin/perl
print "Content-type: text/htmlnn";
print "Hello Security Testers!";

Active Server Pages (ASP)
 With ASP, developers can display HTML documents to users on
the fly
 Main difference from pure HTML pages
 When a user requests a Web page, one is created at that time
 ASP uses scripting languages such as JScript or VBScript
 Not all Web servers support ASP

Active Server Pages (ASP)
(continued)
 ASP example
<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML>
 Microsoft does not want users to be able to view an ASP Web
page’s source code
 This can create serious security problems

Apache Web Server
 Tomcat Apache is another Web Server program
 Tomcat Apache hosts anywhere from 50% to 60% of all Web
sites
 Advantages
 Works on just about any *NIX and Windows platform
 It is free
 Requires Java 2 Standard Runtime Environment (J2SE, version
5.0)

Using Scripting Languages
 Dynamic Web pages can be developed using scripting
languages
 VBScript
 JavaScript
 PHP

PHP: Hypertext Processor
(PHP)
 Enables Web developers to create dynamic Web pages
 Similar to ASP
 Open-source server-side scripting language
 Can be embedded in an HTML Web page using PHP tags <?php
and ?>
 Users cannot see PHP code on their Web browser
 Used primarily on UNIX systems
 Also supported on Macintosh and Microsoft platforms

PHP: Hypertext Processor
(PHP) (continued)
 PHP example
<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
 As a security tester you should look for PHP vulnerabilities

ColdFusion
 Server-side scripting language used to develop dynamic Web
pages
 Created by the Allaire Corporation
 Uses its own proprietary tags written in ColdFusion Markup
Language (CFML)
 CFML Web applications can contain other technologies, such
as HTML or JavaScript

ColdFusion (continued)
 CFML example
<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm"
ADDTOKEN="NO">
</body>
</html>
 CFML is not exempt of vulnerabilities

VBScript
 Visual Basic Script is a scripting language developed by
Microsoft
 Converts static Web pages into dynamic Web pages
 Takes advantage of the power of a full programming language
 VBScript is also prone to security vulnerabilities
 Check the Microsoft Security Bulletin for information about
VBScript vulnerabilities

VBScript (continued)
 VBScript example
<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>

JavaScript
 Popular scripting language
 JavaScript also has the power of a programming language
 Branching
 Looping
 Testing
 Variety of vulnerabilities exist for JavaScript that have been
exploited in older Web browsers

JavaScript (continued)
 JavaScript example
<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command
button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>

Connecting to Databases
 Web pages can display information stored on databases
 There are several technologies used to connect databases with
Web applications
 Technology depends on the OS used
 ODBC
 OLE DB
 ADO
 Theory is the same

Open Database Connectivity
(ODBC)
 Standard database access method developed by the SQL Access
Group
 ODBC interface allows an application to access
 Data stored in a database management system
 Any system that understands and can issue ODBC commands
 Interoperability among back-end DBMS is a key feature of the
ODBC interface

Open Database Connectivity
(ODBC) (continued)
 ODBC defines
 Standardized representation of data types
 A library of ODBC functions
 Standard methods of connecting to and logging on to a DBMS

Object Linking and Embedding
Database (OLE DB)
 OLE DB is a set of interfaces
 Enables applications to access data stored in a DBMS
 Developed by Microsoft
 Designed to be faster, more efficient, and more stable than ODBC
 OLE DB relies on connection strings
 Different providers can be used with OLE DB depending on the
DBMS to which you want to connect

ActiveX Data Objects (ADO)
 ActiveX defines a set of technologies that allow desktop
applications to interact with the Web
 ADO is a programming interface that allows Web
applications to access databases
 Steps for accessing a database from a Web page
 Create an ADO connection
 Open the database connection you just created
 Create an ADO recordset
 Open the recordset
 Select the data you need
 Close the recordset and the connection

Understanding Web Application
Vulnerabilities
 Many platforms and programming languages can be used to
design a Web site
 Application security is as important as network security
 Attackers controlling a Web server can
 Deface the Web site
 Destroy or steal company’s data
 Gain control of user accounts
 Perform secondary attacks from the Web site
 Gain root access to other applications or servers

Application Vulnerabilities
Countermeasures
 Open Web Application Security Project (OWASP)
 Open, not-for-profit organization dedicated to finding and fighting
vulnerabilities in Web applications
 Publishes the Ten Most Critical Web Application Security Vulnerabilities
 Top-10 Web application vulnerabilities
 Unvalidated parameters
 HTTP requests are not validated by the Web server
 Broken access control
 Developers implement access controls but fail to test them properly

Countermeasures (continued)
 Top-10 Web application vulnerabilities (continued)
 Broken account and session management
 Enables attackers to compromise passwords or session cookies to gain
access to accounts
 Cross-site scripting (XSS) flaws
 Attacker can use a Web application to run a script on the Web browser of
the system he or she is attacking
 Buffer overflows
 It is possible for an attacker to use C or C++ code that includes a buffer
overflow

 Command injection flaws
 An attacker can embed malicious code and run a program on the
database server
 Error-handling problems
 Error information sent to the user might reveal information that an attacker
can use
 Insecure use of cryptography
 Storing keys, certificates, and passwords on a Web server can be dangerous

 Remote administration flaws
 Attacker can gain access to the Web server through the remote
administration interface
 Web and application server misconfiguration
 Any Web server software out of the box is usually vulnerable to attack
 Default accounts and passwords
 Overly informative error messages

 WebGoat project
 Helps security testers learn how to perform vulnerabilities testing on Web
applications
 Developed by OWASP
 WebGoat can be used to
 Reveal HTML or Java code and any cookies or parameters used
 Hack a logon name and password

 WebGoat can be used to
 Traverse a file system on a Windows XP computer running Apache
 WebGoat’s big challenge
 Defeat an authentication mechanism
 Steal credit cards from a database
 Deface a Web site

Assessing Web Applications
 Security testers should look for answers to some important questions
 Does the Web application use dynamic Web pages?
 Does the Web application connect to a backend database server?
 Does the Web application require authentication of the user?
 On what platform was the Web application developed?

Does the Web Application Use
Dynamic Web Pages?
 Static Web pages do not create a security environment
 IIS attack example
 Submitting a specially formatted URL to the attacked Web server
 IIS does not correctly parse the URL information
 Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/..%255c..%255cwinn
t/system32/cmd.exe?/c+dir+c
 Attacker can even install a Trojan program

Does the Web Application
Connect to a Backend Database
Server?  Security testers should check for the possibility of SQL injection being
used to attack the system
 SQL injection involves the attacker supplying SQL commands on a
Web application field
 SQL injection examples
SELECT * FROM customer
WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '
or
SELECT * FROM customer
WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="

Does the Web Application
Connect to a Backend Database
Server? (continued)  Basic testing should look for
 Whether you can enter text with punctuation marks
 Whether you can enter a single quotation mark followed by any
SQL keywords
 Whether you can get any sort of database error when
attempting to inject SQL

Does the Web Application Require
Authentication of the User?
 Many Web applications require another server authenticate users
 Examine how information is passed between the two servers
 Encrypted channels
 Verify that logon and password information is stored on secure
places
 Authentication servers introduce a second target

On What Platform Was the Web
Application Developed?
 Several different platforms and technologies can be used to
develop Web applications
 Attacks differ depending on the platform and technology used to
develop the application
 Footprinting is used to find out as much information as possible about a
target system
 The more you know about a system the easier it is to gather information
about its vulnerabilities

Tools of Web Attackers and
Security Testers
 Choose the right tools for the job
 Attackers look for tools that enable them to attack the system
 They choose their tools based on the vulnerabilities found on a target
system or application

Web Tools
 Cgiscan.c: CGI scanning tool
 Written in C in 1999 by Bronc Buster
 Tool for searching Web sites for CGI scripts that can be exploited
 One of the best tools for scanning the Web for systems with CGI
vulnerabilities

Web Tools (continued)
 Phfscan.c
 Written to scan Web sites looking for hosts that could be exploited by
the PHF bug
 The PHF bug enables an attacker to download the victim’s /etc/passwd
file
 It also allows attackers to run programs on the victim’s Web server by
using a particular URL

Web Tools (continued)
 Wfetch: GUI tool
 This tool queries the status of a Web server
 It also attempts authentication using
 Multiple HTTP methods
 Configuration of host name and TCP port
 HTTP 1.0 and HTTP 1.1 support
 Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation
authentication types
 Multiple connection types
 Proxy support
 Client-certificate support

Summary
 Web applications can be developed on many platforms
 HTML pages can contain
 Forms
 ASP
 CGI
 Scripting languages
 Static pages have been replaced by dynamic pages
 Dynamic Web pages can be created using CGI, ASP, and JSP

Summary (continued)
 Web forms allows developers to create Web pages with which
visitors can interact
 Web applications use a variety of technologies to connect to
databases
 ODBC
 OLE DB
 ADO
 Security tests should check
 Whether the application connects to a database
 If the user is authenticated through a different server

Summary (continued)
 Many tools are available for security testers
 Cgiscan
 Wfetch
 OWASP open-source software
 Web applications that connect to databases might be
vulnerable to SQL injection
 There are many free tools for attacking Web servers available in
the Internet

Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg (20)

More from Eric Vanderburg (20)

Recently uploaded (20)

Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg