Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Remote Desktop Services wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Airborne Networking wikipedia , lookup
Hands-On Ethical Hacking and Network Defense Chapter 10 Hacking Web Servers Objectives • Describe Web applications • Explain Web application vulnerabilities • Describe the tools used to attack Web servers Hands-On Ethical Hacking and Network Defense 2 Understanding Web Applications • It is nearly impossible to write a program without bugs – Some bugs create security vulnerabilities • Web applications also have bugs – Web applications have a larger user base than standalone applications – Bugs are a bigger problem for Web applications Hands-On Ethical Hacking and Network Defense 3 Web Application Components • Static Web pages – Created using HTML • Dynamic Web pages – Need special components • • • • • • • <form> tags Common Gateway Interface (CGI) Active Server Pages (ASP) PHP ColdFusion Scripting languages Database connectors Hands-On Ethical Hacking and Network Defense 4 Web Forms • Use the <form> element or tag in an HTML document – Allows customer to submit information to the Web server • Web servers process information from a Web form by using a Web application • Easy way for attackers to intercept data that users submit to a Web server Hands-On Ethical Hacking and Network Defense 5 Web Forms (continued) • Web form example <html> <body> <form> Enter your username: <input type="text" name="username"> <br> Enter your password: <input type="text" name="password"> </form></body></html> Hands-On Ethical Hacking and Network Defense 6 Hands-On Ethical Hacking and Network Defense 7 Common Gateway Interface (CGI) • Handles moving data from a Web server to a Web browser • The majority of dynamic Web pages are created with CGI and scripting languages • Describes how a Web server passes data to a Web browser – Relies on Perl or another scripting language to create dynamic Web pages • CGI programs can be written in different programming and scripting languages Hands-On Ethical Hacking and Network Defense 8 Common Gateway Interface (CGI) (continued) • CGI example – Written in Perl – Hello.pl – Should be placed in the cgi-bin directory on the Web server #!/usr/bin/perl print "Content-type: text/html\n\n"; print "Hello Security Testers!"; Hands-On Ethical Hacking and Network Defense 9 Active Server Pages (ASP) • With ASP, developers can display HTML documents to users on the fly – Main difference from pure HTML pages – When a user requests a Web page, one is created at that time • ASP uses scripting languages such as JScript or VBScript • Not all Web servers support ASP Hands-On Ethical Hacking and Network Defense 10 Hands-On Ethical Hacking and Network Defense 11 Active Server Pages (ASP) (continued) • ASP example <HTML> <HEAD><TITLE> My First ASP Web Page </TITLE></HEAD> <BODY> <H1>Hello, security professionals</H1> The time is <% = Time %>. </BODY> </HTML> • Microsoft does not want users to be able to view an ASP Web page’s source code – This can create serious security problems Hands-On Ethical Hacking and Network Defense 12 Apache Web Server • Tomcat Apache is another Web Server program • Tomcat Apache hosts anywhere from 50% to 60% of all Web sites • Advantages – Works on just about any *NIX and Windows platform – It is free • Requires Java 2 Standard Runtime Environment (J2SE, version 5.0) Hands-On Ethical Hacking and Network Defense 13 Hands-On Ethical Hacking and Network Defense 14 Hands-On Ethical Hacking and Network Defense 15 Using Scripting Languages • Dynamic Web pages can be developed using scripting languages – VBScript – JavaScript – PHP Hands-On Ethical Hacking and Network Defense 16 PHP: Hypertext Processor (PHP) • Enables Web developers to create dynamic Web pages – Similar to ASP • Open-source server-side scripting language – Can be embedded in an HTML Web page using PHP tags <?php and ?> • Users cannot see PHP code on their Web browser • Used primarily on UNIX systems – Also supported on Macintosh and Microsoft platforms Hands-On Ethical Hacking and Network Defense 17 PHP: Hypertext Processor (PHP) (continued) • PHP example <html> <head> <title>My First PHP Program </title> </head> <body> <?php echo '<h1>Hello, Security Testers!</h1>'; ?> </body> </html> • As a security tester you should look for PHP vulnerabilities Hands-On Ethical Hacking and Network Defense 18 ColdFusion • Server-side scripting language used to develop dynamic Web pages • Created by the Allaire Corporation • Uses its own proprietary tags written in ColdFusion Markup Language (CFML) • CFML Web applications can contain other technologies, such as HTML or JavaScript Hands-On Ethical Hacking and Network Defense 19 ColdFusion (continued) • CFML example <html> <head> <title>Using CFML</title> </head> <body> <CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO"> </body> </html> • CFML is not exempt of vulnerabilities Hands-On Ethical Hacking and Network Defense 20 VBScript • Visual Basic Script is a scripting language developed by Microsoft • Converts static Web pages into dynamic Web pages – Takes advantage of the power of a full programming language • VBScript is also prone to security vulnerabilities – Check the Microsoft Security Bulletin for information about VBScript vulnerabilities Hands-On Ethical Hacking and Network Defense 21 VBScript (continued) • VBScript example <html> <body> <script type="text/vbscript"> document.write("<h1>Hello Security Testers!</h1>") document.write("Date Activated: " & date()) </script> </body> </html> Hands-On Ethical Hacking and Network Defense 22 Hands-On Ethical Hacking and Network Defense 23 JavaScript • Popular scripting language • JavaScript also has the power of a programming language – Branching – Looping – Testing • Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers Hands-On Ethical Hacking and Network Defense 24 JavaScript (continued) • JavaScript example <html> <head> <script type="text/javascript"> function chastise_user() { alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus() } </script> </head> <body> <h3>"If you are a Security Tester, please do not click the command button below!"</h3> <form> <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> </form> </body> </html> Hands-On Ethical Hacking and Network Defense 25 Hands-On Ethical Hacking and Network Defense 26 Hands-On Ethical Hacking and Network Defense 27 Connecting to Databases • Web pages can display information stored on databases • There are several technologies used to connect databases with Web applications – Technology depends on the OS used • ODBC • OLE DB • ADO – Theory is the same Hands-On Ethical Hacking and Network Defense 28 Open Database Connectivity (ODBC) • Standard database access method developed by the SQL Access Group • ODBC interface allows an application to access – Data stored in a database management system – Any system that understands and can issue ODBC commands • Interoperability among back-end DBMS is a key feature of the ODBC interface Hands-On Ethical Hacking and Network Defense 29 Open Database Connectivity (ODBC) (continued) • ODBC defines – Standardized representation of data types – A library of ODBC functions – Standard methods of connecting to and logging on to a DBMS Hands-On Ethical Hacking and Network Defense 30 Object Linking and Embedding Database (OLE DB) • OLE DB is a set of interfaces – Enables applications to access data stored in a DBMS • Developed by Microsoft – Designed to be faster, more efficient, and more stable than ODBC • OLE DB relies on connection strings • Different providers can be used with OLE DB depending on the DBMS to which you want to connect Hands-On Ethical Hacking and Network Defense 31 Hands-On Ethical Hacking and Network Defense 32 ActiveX Data Objects (ADO) • ActiveX defines a set of technologies that allow desktop applications to interact with the Web • ADO is a programming interface that allows Web applications to access databases • Steps for accessing a database from a Web page – – – – – – Create an ADO connection Open the database connection you just created Create an ADO recordset Open the recordset Select the data you need Close the recordset and the connection Hands-On Ethical Hacking and Network Defense 33 Understanding Web Application Vulnerabilities • Many platforms and programming languages can be used to design a Web site • Application security is as important as network security • Attackers controlling a Web server can – – – – – Deface the Web site Destroy or steal company’s data Gain control of user accounts Perform secondary attacks from the Web site Gain root access to other applications or servers Hands-On Ethical Hacking and Network Defense 34 Application Vulnerabilities Countermeasures • Open Web Application Security Project (OWASP) – Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applications – Publishes the Ten Most Critical Web Application Security Vulnerabilities • Top-10 Web application vulnerabilities – Unvalidated parameters • HTTP requests are not validated by the Web server – Broken access control • Developers implement access controls but fail to test them properly Hands-On Ethical Hacking and Network Defense 35 Application Vulnerabilities Countermeasures (continued) • Top-10 Web application vulnerabilities (continued) – Broken account and session management • Enables attackers to compromise passwords or session cookies to gain access to accounts – Cross-site scripting (XSS) flaws • Attacker can use a Web application to run a script on the Web browser of the system he or she is attacking – Buffer overflows • It is possible for an attacker to use C or C++ code that includes a buffer overflow Hands-On Ethical Hacking and Network Defense 36 Application Vulnerabilities Countermeasures (continued) • Top-10 Web application vulnerabilities (continued) – Command injection flaws • An attacker can embed malicious code and run a program on the database server – Error-handling problems • Error information sent to the user might reveal information that an attacker can use – Insecure use of cryptography • Storing keys, certificates, and passwords on a Web server can be dangerous Hands-On Ethical Hacking and Network Defense 37 Application Vulnerabilities Countermeasures (continued) • Top-10 Web application vulnerabilities (continued) – Remote administration flaws • Attacker can gain access to the Web server through the remote administration interface – Web and application server misconfiguration • Any Web server software out of the box is usually vulnerable to attack – Default accounts and passwords – Overly informative error messages Hands-On Ethical Hacking and Network Defense 38 Application Vulnerabilities Countermeasures (continued) • WebGoat project – Helps security testers learn how to perform vulnerabilities testing on Web applications – Developed by OWASP • WebGoat can be used to – Reveal HTML or Java code and any cookies or parameters used – Hack a logon name and password Hands-On Ethical Hacking and Network Defense 39 Hands-On Ethical Hacking and Network Defense 40 Hands-On Ethical Hacking and Network Defense 41 Application Vulnerabilities Countermeasures (continued) • WebGoat can be used to – Traverse a file system on a Windows XP computer running Apache – WebGoat’s big challenge • Defeat an authentication mechanism • Steal credit cards from a database • Deface a Web site Hands-On Ethical Hacking and Network Defense 42 Hands-On Ethical Hacking and Network Defense 43 Hands-On Ethical Hacking and Network Defense 44 Hands-On Ethical Hacking and Network Defense 45 Assessing Web Applications • Security testers should look for answers to some important questions – Does the Web application use dynamic Web pages? – Does the Web application connect to a backend database server? – Does the Web application require authentication of the user? – On what platform was the Web application developed? Hands-On Ethical Hacking and Network Defense 46 Does the Web Application Use Dynamic Web Pages? • Static Web pages do not create a security environment • IIS attack example – Submitting a specially formatted URL to the attacked Web server • IIS does not correctly parse the URL information – Attackers could launch a Unicode exploit http://www.nopatchiss.com/scripts/..%255c..%25 5cwinnt/system32/cmd.exe?/c+dir+c – Attacker can even install a Trojan program Hands-On Ethical Hacking and Network Defense 47 Does the Web Application Connect to a Backend Database Server? • Security testers should check for the possibility of SQL injection being used to attack the system • SQL injection involves the attacker supplying SQL commands on a Web application field • SQL injection examples SELECT * FROM customer WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' ' or SELECT * FROM customer WHERE tblusername = ' OR "=" AND tblpassword = ' OR "=" Hands-On Ethical Hacking and Network Defense 48 Does the Web Application Connect to a Backend Database Server? (continued) • Basic testing should look for – Whether you can enter text with punctuation marks – Whether you can enter a single quotation mark followed by any SQL keywords – Whether you can get any sort of database error when attempting to inject SQL Hands-On Ethical Hacking and Network Defense 49 Does the Web Application Require Authentication of the User? • Many Web applications require another server authenticate users • Examine how information is passed between the two servers – Encrypted channels • Verify that logon and password information is stored on secure places • Authentication servers introduce a second target Hands-On Ethical Hacking and Network Defense 50 On What Platform Was the Web Application Developed? • Several different platforms and technologies can be used to develop Web applications • Attacks differ depending on the platform and technology used to develop the application – Footprinting is used to find out as much information as possible about a target system – The more you know about a system the easier it is to gather information about its vulnerabilities Hands-On Ethical Hacking and Network Defense 51 Tools of Web Attackers and Security Testers • Choose the right tools for the job • Attackers look for tools that enable them to attack the system – They choose their tools based on the vulnerabilities found on a target system or application Hands-On Ethical Hacking and Network Defense 52 Web Tools • Cgiscan.c: CGI scanning tool – Written in C in 1999 by Bronc Buster – Tool for searching Web sites for CGI scripts that can be exploited – One of the best tools for scanning the Web for systems with CGI vulnerabilities Hands-On Ethical Hacking and Network Defense 53 Hands-On Ethical Hacking and Network Defense 54 Web Tools (continued) • Phfscan.c – Written to scan Web sites looking for hosts that could be exploited by the PHF bug – The PHF bug enables an attacker to download the victim’s /etc/passwd file – It also allows attackers to run programs on the victim’s Web server by using a particular URL Hands-On Ethical Hacking and Network Defense 55 Web Tools (continued) • Wfetch: GUI tool – This tool queries the status of a Web server – It also attempts authentication using • • • • Multiple HTTP methods Configuration of host name and TCP port HTTP 1.0 and HTTP 1.1 support Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types • Multiple connection types • Proxy support • Client-certificate support Hands-On Ethical Hacking and Network Defense 56 Hands-On Ethical Hacking and Network Defense 57 Summary • Web applications can be developed on many platforms • HTML pages can contain – – – – Forms ASP CGI Scripting languages • Static pages have been replaced by dynamic pages • Dynamic Web pages can be created using CGI, ASP, and JSP Hands-On Ethical Hacking and Network Defense 58 Summary (continued) • Web forms allows developers to create Web pages with which visitors can interact • Web applications use a variety of technologies to connect to databases – ODBC – OLE DB – ADO • Security tests should check – Whether the application connects to a database – If the user is authenticated through a different server Hands-On Ethical Hacking and Network Defense 59 Summary (continued) • Many tools are available for security testers – Cgiscan – Wfetch – OWASP open-source software • Web applications that connect to databases might be vulnerable to SQL injection • There are many free tools for attacking Web servers available in the Internet Hands-On Ethical Hacking and Network Defense 60