Hands-On Ethical Hacking and Network Security

Hands-On Ethical Hackingand Network Defense

Chapter 10

Hacking Web Servers

Hands-On Ethical Hacking and Network Defense

Objectives

•Describe Web applications

•Explain Web application vulnerabilities

•Describe the tools used to attack Web servers

Hands-On Ethical Hacking and Network Defense

Understanding Web Applications

•It is nearly impossible to write a program withoutbugs

–Some bugs create security vulnerabilities

•Web applications also have bugs

–Web applications have a larger user base thanstandalone applications

–Bugs are a bigger problem for Web applications

Hands-On Ethical Hacking and Network Defense

Web Application Components

•Static Web pages

–Created using HTML

•Dynamic Web pages

–Need special components

•<form> tags

•Common Gateway Interface (CGI)

•Active Server Pages (ASP)

•PHP

•ColdFusion

•Scripting languages

•Database connectors

Hands-On Ethical Hacking and Network Defense

Web Forms

•Use the <form> element or tag in an HTMLdocument

–Allows customer to submit information to the Webserver

•Web servers process information from a Web formby using a Web application

•Easy way for attackers to intercept data that userssubmit to a Web server

Hands-On Ethical Hacking and Network Defense

Web Forms (continued)

•Web form example

<html>

<body>

<form>

Enter your username:

<br>

Enter your password:

</form></body></html>

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Common Gateway Interface (CGI)

•Handles moving data from a Web server to a Webbrowser

•The majority of dynamic Web pages are created withCGI and scripting languages

•Describes how a Web server passes data to a Webbrowser

–Relies on Perl or another scripting language to createdynamic Web pages

•CGI programs can be written in differentprogramming and scripting languages

Hands-On Ethical Hacking and Network Defense

Common Gateway Interface (CGI)(continued)

•CGI example

–Written in Perl

–Hello.pl

–Should be placed in the cgi-bin directory on the Webserver

#!/usr/bin/perl

print "Content-type: text/html\n\n";

print "Hello Security Testers!";

Hands-On Ethical Hacking and Network Defense

Active Server Pages (ASP)

•With ASP, developers can display HTML documentsto users on the fly

–Main difference from pure HTML pages

–When a user requests a Web page, one is created atthat time

•ASP uses scripting languages such as JScript orVBScript

•Not all Web servers support ASP

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Active Server Pages (ASP)(continued)

•ASP example

<HTML>

<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>

<BODY>

<H1>Hello, security professionals</H1>

The time is <% = Time %>.

</BODY>

</HTML>

•Microsoft does not want users to be able to view anASP Web page’s source code

–This can create serious security problems

Hands-On Ethical Hacking and Network Defense

Apache Web Server

•Tomcat Apache is another Web Server program

•Tomcat Apache hosts anywhere from 50% to 60% ofall Web sites

•Advantages

–Works on just about any *NIX and Windows platform

–It is free

•Requires Java 2 Standard Runtime Environment(J2SE, version 5.0)

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Using Scripting Languages

•Dynamic Web pages can be developed usingscripting languages

–VBScript

–JavaScript

–PHP

Hands-On Ethical Hacking and Network Defense

PHP: Hypertext Processor (PHP)

•Enables Web developers to create dynamic Webpages

–Similar to ASP

•Open-source server-side scripting language

–Can be embedded in an HTML Web page using PHPtags <?php and ?>

•Users cannot see PHP code on their Web browser

•Used primarily on UNIX systems

–Also supported on Macintosh and Microsoft platforms

Hands-On Ethical Hacking and Network Defense

PHP: Hypertext Processor (PHP)(continued)

•PHP example

<html>

<head>

<title>My First PHP Program </title>

</head>

<body>

<?php echo '<h1>Hello, Security Testers!</h1>'; ?>

</body>

</html>

•As a security tester you should look for PHPvulnerabilities

Hands-On Ethical Hacking and Network Defense

ColdFusion

•Server-side scripting language used to developdynamic Web pages

•Created by the Allaire Corporation

•Uses its own proprietary tags written in ColdFusionMarkup Language (CFML)

•CFML Web applications can contain othertechnologies, such as HTML or JavaScript

Hands-On Ethical Hacking and Network Defense

ColdFusion (continued)

•CFML example

<html>

<head>

<title>Using CFML</title>

</head>

<body>

</body>

</html>

•CFML is not exempt of vulnerabilities

Hands-On Ethical Hacking and Network Defense

VBScript

•Visual Basic Script is a scripting language developedby Microsoft

•Converts static Web pages into dynamic Web pages

–Takes advantage of the power of a full programminglanguage

•VBScript is also prone to security vulnerabilities

–Check the Microsoft Security Bulletin for informationabout VBScript vulnerabilities

Hands-On Ethical Hacking and Network Defense

VBScript (continued)

•VBScript example

<html>

<body>

document.write("<h1>Hello Security Testers!</h1>")

document.write("Date Activated: " & date())

</script>

</body>

</html>

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

JavaScript

•Popular scripting language

•JavaScript also has the power of a programminglanguage

–Branching

–Looping

–Testing

•Variety of vulnerabilities exist for JavaScript thathave been exploited in older Web browsers

Hands-On Ethical Hacking and Network Defense

JavaScript (continued)

•JavaScript example

<html>

<head>

function chastise_user()

{

alert("So, you like breaking rules?")

document.getElementByld("cmdButton").focus()

}

</script>

</head>

<body>

<h3>"If you are a Security Tester, please do not click the command

button below!"</h3>

<form>

<input type="button" value="Don't Click!" name="cmdButton"

onClick="chastise_user()" />

</form>

</body>

</html>

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Connecting to Databases

•Web pages can display information stored ondatabases

•There are several technologies used to connectdatabases with Web applications

–Technology depends on the OS used

•ODBC

•OLE DB

•ADO

–Theory is the same

Hands-On Ethical Hacking and Network Defense

Open Database Connectivity (ODBC)

•Standard database access method developed bythe SQL Access Group

•ODBC interface allows an application to access

–Data stored in a database management system

–Any system that understands and can issue ODBCcommands

•Interoperability among back-end DBMS is a keyfeature of the ODBC interface

Hands-On Ethical Hacking and Network Defense

Open Database Connectivity (ODBC)(continued)

•ODBC defines

–Standardized representation of data types

–A library of ODBC functions

–Standard methods of connecting to and logging onto a DBMS

Hands-On Ethical Hacking and Network Defense

Object Linking and EmbeddingDatabase (OLE DB)

•OLE DB is a set of interfaces

–Enables applications to access data stored in aDBMS

•Developed by Microsoft

–Designed to be faster, more efficient, and morestable than ODBC

•OLE DB relies on connection strings

•Different providers can be used with OLE DBdepending on the DBMS to which you want toconnect

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

ActiveX Data Objects (ADO)

•ActiveX defines a set of technologies that allowdesktop applications to interact with the Web

•ADO is a programming interface that allows Webapplications to access databases

•Steps for accessing a database from a Web page

–Create an ADO connection

–Open the database connection you just created

–Create an ADO recordset

–Open the recordset

–Select the data you need

–Close the recordset and the connection

Hands-On Ethical Hacking and Network Defense

Understanding Web ApplicationVulnerabilities

•Many platforms and programming languages canbe used to design a Web site

•Application security is as important as networksecurity

•Attackers controlling a Web server can

–Deface the Web site

–Destroy or steal company’s data

–Gain control of user accounts

–Perform secondary attacks from the Web site

–Gain root access to other applications or servers

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures

•Open Web Application Security Project (OWASP)

–Open, not-for-profit organization dedicated to findingand fighting vulnerabilities in Web applications

–Publishes the Ten Most Critical Web ApplicationSecurity Vulnerabilities

•Top-10 Web application vulnerabilities

–Unvalidated parameters

•HTTP requests are not validated by the Web server

–Broken access control

•Developers implement access controls but fail to testthem properly

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures (continued)

•Top-10 Web application vulnerabilities (continued)

–Broken account and session management

•Enables attackers to compromise passwords orsession cookies to gain access to accounts

–Cross-site scripting (XSS) flaws

•Attacker can use a Web application to run a script onthe Web browser of the system he or she is attacking

–Buffer overflows

•It is possible for an attacker to use C or C++ code thatincludes a buffer overflow

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures (continued)

•Top-10 Web application vulnerabilities (continued)

–Command injection flaws

•An attacker can embed malicious code and run aprogram on the database server

–Error-handling problems

•Error information sent to the user might revealinformation that an attacker can use

–Insecure use of cryptography

•Storing keys, certificates, and passwords on a Webserver can be dangerous

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures (continued)

•Top-10 Web application vulnerabilities (continued)

–Remote administration flaws

•Attacker can gain access to the Web server throughthe remote administration interface

–Web and application server misconfiguration

•Any Web server software out of the box is usuallyvulnerable to attack

–Default accounts and passwords

–Overly informative error messages

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures (continued)

•WebGoat project

–Helps security testers learn how to performvulnerabilities testing on Web applications

–Developed by OWASP

•WebGoat can be used to

–Reveal HTML or Java code and any cookies orparameters used

–Hack a logon name and password

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Application VulnerabilitiesCountermeasures (continued)

•WebGoat can be used to

–Traverse a file system on a Windows XP computerrunning Apache

–WebGoat’s big challenge

•Defeat an authentication mechanism

•Steal credit cards from a database

•Deface a Web site

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Assessing Web Applications

•Security testers should look for answers to someimportant questions

–Does the Web application use dynamic Web pages?

–Does the Web application connect to a backenddatabase server?

–Does the Web application require authentication ofthe user?

–On what platform was the Web applicationdeveloped?

Hands-On Ethical Hacking and Network Defense

Does the Web Application UseDynamic Web Pages?

•Static Web pages do not create a securityenvironment

•IIS attack example

–Submitting a specially formatted URL to the attackedWeb server

•IIS does not correctly parse the URL information

–Attackers could launch a Unicode exploit

http://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c

–Attacker can even install a Trojan program

Hands-On Ethical Hacking and Network Defense

Does the Web Application Connect toa Backend Database Server?

•Security testers should check for the possibility ofSQL injection being used to attack the system

•SQL injection involves the attacker supplying SQLcommands on a Web application field

•SQL injection examples

SELECT * FROM customer

WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '

SELECT * FROM customer

WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="

Hands-On Ethical Hacking and Network Defense

Does the Web Application Connect toa Backend Database Server?(continued)

•Basic testing should look for

–Whether you can enter text with punctuation marks

–Whether you can enter a single quotation markfollowed by any SQL keywords

–Whether you can get any sort of database errorwhen attempting to inject SQL

Hands-On Ethical Hacking and Network Defense

Does the Web Application RequireAuthentication of the User?

•Many Web applications require another serverauthenticate users

•Examine how information is passed between thetwo servers

–Encrypted channels

•Verify that logon and password information isstored on secure places

•Authentication servers introduce a second target

Hands-On Ethical Hacking and Network Defense

On What Platform Was the WebApplication Developed?

•Several different platforms and technologies can beused to develop Web applications

•Attacks differ depending on the platform andtechnology used to develop the application

–Footprinting is used to find out as much informationas possible about a target system

–The more you know about a system the easier it is togather information about its vulnerabilities

Hands-On Ethical Hacking and Network Defense

Tools of Web Attackers and SecurityTesters

•Choose the right tools for the job

•Attackers look for tools that enable them to attackthe system

–They choose their tools based on the vulnerabilitiesfound on a target system or application

Hands-On Ethical Hacking and Network Defense

Web Tools

•Cgiscan.c: CGI scanning tool

–Written in C in 1999 by Bronc Buster

–Tool for searching Web sites for CGI scripts that canbe exploited

–One of the best tools for scanning the Web forsystems with CGI vulnerabilities

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Web Tools (continued)

•Phfscan.c

–Written to scan Web sites looking for hosts thatcould be exploited by the PHF bug

–The PHF bug enables an attacker to download thevictim’s /etc/passwd file

–It also allows attackers to run programs on thevictim’s Web server by using a particular URL

Hands-On Ethical Hacking and Network Defense

Web Tools (continued)

•Wfetch: GUI tool

–This tool queries the status of a Web server

–It also attempts authentication using

•Multiple HTTP methods

•Configuration of host name and TCP port

•HTTP 1.0 and HTTP 1.1 support

•Anonymous, Basic, NTLM, Kerberos, Digest, andNegotiation authentication types

•Multiple connection types

•Proxy support

•Client-certificate support

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Summary

•Web applications can be developed on manyplatforms

•HTML pages can contain

–Forms

–ASP

–CGI

–Scripting languages

•Static pages have been replaced by dynamic pages

•Dynamic Web pages can be created using CGI, ASP,and JSP

Hands-On Ethical Hacking and Network Defense

Summary (continued)

•Web forms allows developers to create Web pageswith which visitors can interact

•Web applications use a variety of technologies toconnect to databases

–ODBC

–OLE DB

–ADO

•Security tests should check

–Whether the application connects to a database

–If the user is authenticated through a different server

Hands-On Ethical Hacking and Network Defense

Summary (continued)

•Many tools are available for security testers

–Cgiscan

–Wfetch

–OWASP open-source software

•Web applications that connect to databases might bevulnerable to SQL injection

•There are many free tools for attacking Web serversavailable in the Internet