Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Web Security Notes: Scratching the Surface of Web Vulnerabilities and Countermeasures 1 Outline • • • • • • Cyber Graffiti Java: Remote Command Execution E-Shopping Database Access Impersonation Buffer Overflows: On-the-fly 2 Part 1: Cyber Graffiti 3 • Mapping the Target Network: Reading headers of Emails, IP trace, port scan, etc. • Check accessibility of different server IPs from the Web. • Sending raw HTTP requests from programs such as Netcat or WebClient!! • An example: We have a Web server running on 80 and a proxy server running on 8001. • The proxy server accepts inside address requests from local Intranet and the loop back address (127.0.0.1) and send proxy request out. • An attack called Reverse Proxy Server attempts to do the reverse by sending and HTTP proxy request to the proxy server and hoping the request will be forwarded in. 4 • If this trick succeeds, you might get an authorization prompt reply. • In such cases, Brute forcing HTTP Authentication can be used, example Brutus and WebCracker. • Running a script sending various combination of passwords with user name admin!!!! • If you did it, you just log in! • One of the fatal mistakes after you reach this stage is that you get directory listing. Simple, you will know every thing about that site. • You can try to find a way to post your documents there! • Using FTP bugs, looking for Web accessible scripts that upload files, etc. to upload the defacing document into the staging area 5 • This staging area will be pushed to the ISP Web server and thus you have them by now! • Countermeasures: – Turning off Reverse Proxy: This Web server dependent but in case of Apache you need to use the Listen directives to bind the proxy port to only the Internal network interface – Using Stronger HTTP Authentication Passwords: Use hard to crack passwords that is long, include symbols, digital, etc. Properly design web servers should detect multiple trial to crack the authentication protocol but most do NOT. So, it is the admin responsibilities to always check the logs – Turning off Directory Browsing: In Apache use the Directory tag in the httpd.conf file, in IIS uncheck directory browsing check box in the configuration interface 6 Part 2: Java: Remote Command Execution 7 • The problem is that, in a JAVA based Web server there are a number of file types to be process: – – – – HTML: Handled by using FileServlet JSP: Handled by using JSPServlet Servlet: Handled using The servlet engine SSI: SSI handler • An attack called Handler forcing simply tries to invoke a handler to handle a different type other than the one it is originally design to handle. • The vulnerability has been exploited in many systems including WebLogic, WebSphere, Sun Java server. • It can be used to disclose source code, run remote command!!!! 8 • One Example: putting a java code in the feedback file which is an HTML file, then invoke that file using the JSP handler!!!! • Sample URL: – www.acmetradeonline/*.shtml/feebback/feedback.jsp • The configuration file in the server associate all jsp request to be handled be the JSPServlet. Here is the problem!!!! • Countermeasures: Hardening java server – Sanitize input: (Do not accept any Feedback!!). – Remove installation sample files: General recommendation, a number exploits can success because they are there. – Restrict Executables: cmd.exe, ftp.exe, etc. from your production version or restrict access to them. 9