Hands-On Ethical Hacking and Network Security
Download
Report
Transcript Hands-On Ethical Hacking and Network Security
Hands-On Ethical Hacking
and Network Defense
Chapter 10
Hacking Web Servers
Objectives
• Describe Web applications
• Explain Web application vulnerabilities
• Describe the tools used to attack Web servers
Hands-On Ethical Hacking and Network Defense
2
Understanding Web Applications
• It is nearly impossible to write a program without
bugs
– Some bugs create security vulnerabilities
• Web applications also have bugs
– Web applications have a larger user base than
standalone applications
– Bugs are a bigger problem for Web applications
Hands-On Ethical Hacking and Network Defense
3
Web Application Components
• Static Web pages
– Created using HTML
• Dynamic Web pages
– Need special components
•
•
•
•
•
•
•
<form> tags
Common Gateway Interface (CGI)
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages
Database connectors
Hands-On Ethical Hacking and Network Defense
4
Web Forms
• Use the <form> element or tag in an HTML
document
– Allows customer to submit information to the Web
server
• Web servers process information from a Web form
by using a Web application
• Easy way for attackers to intercept data that users
submit to a Web server
Hands-On Ethical Hacking and Network Defense
5
Web Forms (continued)
• Web form example
<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Hands-On Ethical Hacking and Network Defense
6
Hands-On Ethical Hacking and Network Defense
7
Common Gateway Interface (CGI)
• Handles moving data from a Web server to a Web
browser
• The majority of dynamic Web pages are created with
CGI and scripting languages
• Describes how a Web server passes data to a Web
browser
– Relies on Perl or another scripting language to create
dynamic Web pages
• CGI programs can be written in different
programming and scripting languages
Hands-On Ethical Hacking and Network Defense
8
Common Gateway Interface (CGI)
(continued)
• CGI example
– Written in Perl
– Hello.pl
– Should be placed in the cgi-bin directory on the Web
server
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
Hands-On Ethical Hacking and Network Defense
9
Active Server Pages (ASP)
• With ASP, developers can display HTML documents
to users on the fly
– Main difference from pure HTML pages
– When a user requests a Web page, one is created at
that time
• ASP uses scripting languages such as JScript or
VBScript
• Not all Web servers support ASP
Hands-On Ethical Hacking and Network Defense
10
Hands-On Ethical Hacking and Network Defense
11
Active Server Pages (ASP)
(continued)
• ASP example
<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML>
• Microsoft does not want users to be able to view an
ASP Web page’s source code
– This can create serious security problems
Hands-On Ethical Hacking and Network Defense
12
Apache Web Server
• Tomcat Apache is another Web Server program
• Tomcat Apache hosts anywhere from 50% to 60% of
all Web sites
• Advantages
– Works on just about any *NIX and Windows platform
– It is free
• Requires Java 2 Standard Runtime Environment
(J2SE, version 5.0)
Hands-On Ethical Hacking and Network Defense
13
Hands-On Ethical Hacking and Network Defense
14
Hands-On Ethical Hacking and Network Defense
15
Using Scripting Languages
• Dynamic Web pages can be developed using
scripting languages
– VBScript
– JavaScript
– PHP
Hands-On Ethical Hacking and Network Defense
16
PHP: Hypertext Processor (PHP)
• Enables Web developers to create dynamic Web
pages
– Similar to ASP
• Open-source server-side scripting language
– Can be embedded in an HTML Web page using PHP
tags <?php and ?>
• Users cannot see PHP code on their Web browser
• Used primarily on UNIX systems
– Also supported on Macintosh and Microsoft platforms
Hands-On Ethical Hacking and Network Defense
17
PHP: Hypertext Processor (PHP)
(continued)
• PHP example
<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
• As a security tester you should look for PHP
vulnerabilities
Hands-On Ethical Hacking and Network Defense
18
ColdFusion
• Server-side scripting language used to develop
dynamic Web pages
• Created by the Allaire Corporation
• Uses its own proprietary tags written in ColdFusion
Markup Language (CFML)
• CFML Web applications can contain other
technologies, such as HTML or JavaScript
Hands-On Ethical Hacking and Network Defense
19
ColdFusion (continued)
• CFML example
<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm"
ADDTOKEN="NO">
</body>
</html>
• CFML is not exempt of vulnerabilities
Hands-On Ethical Hacking and Network Defense
20
VBScript
• Visual Basic Script is a scripting language developed
by Microsoft
• Converts static Web pages into dynamic Web pages
– Takes advantage of the power of a full programming
language
• VBScript is also prone to security vulnerabilities
– Check the Microsoft Security Bulletin for information
about VBScript vulnerabilities
Hands-On Ethical Hacking and Network Defense
21
VBScript (continued)
• VBScript example
<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
Hands-On Ethical Hacking and Network Defense
22
Hands-On Ethical Hacking and Network Defense
23
JavaScript
• Popular scripting language
• JavaScript also has the power of a programming
language
– Branching
– Looping
– Testing
• Variety of vulnerabilities exist for JavaScript that
have been exploited in older Web browsers
Hands-On Ethical Hacking and Network Defense
24
JavaScript (continued)
• JavaScript example
<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command
button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>
Hands-On Ethical Hacking and Network Defense
25
Hands-On Ethical Hacking and Network Defense
26
Hands-On Ethical Hacking and Network Defense
27
Connecting to Databases
• Web pages can display information stored on
databases
• There are several technologies used to connect
databases with Web applications
– Technology depends on the OS used
• ODBC
• OLE DB
• ADO
– Theory is the same
Hands-On Ethical Hacking and Network Defense
28
Open Database Connectivity (ODBC)
• Standard database access method developed by
the SQL Access Group
• ODBC interface allows an application to access
– Data stored in a database management system
– Any system that understands and can issue ODBC
commands
• Interoperability among back-end DBMS is a key
feature of the ODBC interface
Hands-On Ethical Hacking and Network Defense
29
Open Database Connectivity (ODBC)
(continued)
• ODBC defines
– Standardized representation of data types
– A library of ODBC functions
– Standard methods of connecting to and logging on
to a DBMS
Hands-On Ethical Hacking and Network Defense
30
Object Linking and Embedding
Database (OLE DB)
• OLE DB is a set of interfaces
– Enables applications to access data stored in a
DBMS
• Developed by Microsoft
– Designed to be faster, more efficient, and more
stable than ODBC
• OLE DB relies on connection strings
• Different providers can be used with OLE DB
depending on the DBMS to which you want to
connect
Hands-On Ethical Hacking and Network Defense
31
Hands-On Ethical Hacking and Network Defense
32
ActiveX Data Objects (ADO)
• ActiveX defines a set of technologies that allow
desktop applications to interact with the Web
• ADO is a programming interface that allows Web
applications to access databases
• Steps for accessing a database from a Web page
–
–
–
–
–
–
Create an ADO connection
Open the database connection you just created
Create an ADO recordset
Open the recordset
Select the data you need
Close the recordset and the connection
Hands-On Ethical Hacking and Network Defense
33
Understanding Web Application
Vulnerabilities
• Many platforms and programming languages can
be used to design a Web site
• Application security is as important as network
security
• Attackers controlling a Web server can
–
–
–
–
–
Deface the Web site
Destroy or steal company’s data
Gain control of user accounts
Perform secondary attacks from the Web site
Gain root access to other applications or servers
Hands-On Ethical Hacking and Network Defense
34
Application Vulnerabilities
Countermeasures
• Open Web Application Security Project (OWASP)
– Open, not-for-profit organization dedicated to finding
and fighting vulnerabilities in Web applications
– Publishes the Ten Most Critical Web Application
Security Vulnerabilities
• Top-10 Web application vulnerabilities
– Unvalidated parameters
• HTTP requests are not validated by the Web server
– Broken access control
• Developers implement access controls but fail to test
them properly
Hands-On Ethical Hacking and Network Defense
35
Application Vulnerabilities
Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)
– Broken account and session management
• Enables attackers to compromise passwords or
session cookies to gain access to accounts
– Cross-site scripting (XSS) flaws
• Attacker can use a Web application to run a script on
the Web browser of the system he or she is attacking
– Buffer overflows
• It is possible for an attacker to use C or C++ code that
includes a buffer overflow
Hands-On Ethical Hacking and Network Defense
36
Application Vulnerabilities
Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)
– Command injection flaws
• An attacker can embed malicious code and run a
program on the database server
– Error-handling problems
• Error information sent to the user might reveal
information that an attacker can use
– Insecure use of cryptography
• Storing keys, certificates, and passwords on a Web
server can be dangerous
Hands-On Ethical Hacking and Network Defense
37
Application Vulnerabilities
Countermeasures (continued)
• Top-10 Web application vulnerabilities (continued)
– Remote administration flaws
• Attacker can gain access to the Web server through
the remote administration interface
– Web and application server misconfiguration
• Any Web server software out of the box is usually
vulnerable to attack
– Default accounts and passwords
– Overly informative error messages
Hands-On Ethical Hacking and Network Defense
38
Application Vulnerabilities
Countermeasures (continued)
• WebGoat project
– Helps security testers learn how to perform
vulnerabilities testing on Web applications
– Developed by OWASP
• WebGoat can be used to
– Reveal HTML or Java code and any cookies or
parameters used
– Hack a logon name and password
Hands-On Ethical Hacking and Network Defense
39
Hands-On Ethical Hacking and Network Defense
40
Hands-On Ethical Hacking and Network Defense
41
Application Vulnerabilities
Countermeasures (continued)
• WebGoat can be used to
– Traverse a file system on a Windows XP computer
running Apache
– WebGoat’s big challenge
• Defeat an authentication mechanism
• Steal credit cards from a database
• Deface a Web site
Hands-On Ethical Hacking and Network Defense
42
Hands-On Ethical Hacking and Network Defense
43
Hands-On Ethical Hacking and Network Defense
44
Hands-On Ethical Hacking and Network Defense
45
Assessing Web Applications
• Security testers should look for answers to some
important questions
– Does the Web application use dynamic Web pages?
– Does the Web application connect to a backend
database server?
– Does the Web application require authentication of
the user?
– On what platform was the Web application
developed?
Hands-On Ethical Hacking and Network Defense
46
Does the Web Application Use
Dynamic Web Pages?
• Static Web pages do not create a security
environment
• IIS attack example
– Submitting a specially formatted URL to the attacked
Web server
• IIS does not correctly parse the URL information
– Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/..%255c..%25
5cwinnt/system32/cmd.exe?/c+dir+c
– Attacker can even install a Trojan program
Hands-On Ethical Hacking and Network Defense
47
Does the Web Application Connect to
a Backend Database Server?
• Security testers should check for the possibility of
SQL injection being used to attack the system
• SQL injection involves the attacker supplying SQL
commands on a Web application field
• SQL injection examples
SELECT * FROM customer
WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '
or
SELECT * FROM customer
WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="
Hands-On Ethical Hacking and Network Defense
48
Does the Web Application Connect to
a Backend Database Server?
(continued)
• Basic testing should look for
– Whether you can enter text with punctuation marks
– Whether you can enter a single quotation mark
followed by any SQL keywords
– Whether you can get any sort of database error
when attempting to inject SQL
Hands-On Ethical Hacking and Network Defense
49
Does the Web Application Require
Authentication of the User?
• Many Web applications require another server
authenticate users
• Examine how information is passed between the
two servers
– Encrypted channels
• Verify that logon and password information is
stored on secure places
• Authentication servers introduce a second target
Hands-On Ethical Hacking and Network Defense
50
On What Platform Was the Web
Application Developed?
• Several different platforms and technologies can be
used to develop Web applications
• Attacks differ depending on the platform and
technology used to develop the application
– Footprinting is used to find out as much information
as possible about a target system
– The more you know about a system the easier it is to
gather information about its vulnerabilities
Hands-On Ethical Hacking and Network Defense
51
Tools of Web Attackers and Security
Testers
• Choose the right tools for the job
• Attackers look for tools that enable them to attack
the system
– They choose their tools based on the vulnerabilities
found on a target system or application
Hands-On Ethical Hacking and Network Defense
52
Web Tools
• Cgiscan.c: CGI scanning tool
– Written in C in 1999 by Bronc Buster
– Tool for searching Web sites for CGI scripts that can
be exploited
– One of the best tools for scanning the Web for
systems with CGI vulnerabilities
Hands-On Ethical Hacking and Network Defense
53
Hands-On Ethical Hacking and Network Defense
54
Web Tools (continued)
• Phfscan.c
– Written to scan Web sites looking for hosts that
could be exploited by the PHF bug
– The PHF bug enables an attacker to download the
victim’s /etc/passwd file
– It also allows attackers to run programs on the
victim’s Web server by using a particular URL
Hands-On Ethical Hacking and Network Defense
55
Web Tools (continued)
• Wfetch: GUI tool
– This tool queries the status of a Web server
– It also attempts authentication using
•
•
•
•
Multiple HTTP methods
Configuration of host name and TCP port
HTTP 1.0 and HTTP 1.1 support
Anonymous, Basic, NTLM, Kerberos, Digest, and
Negotiation authentication types
• Multiple connection types
• Proxy support
• Client-certificate support
Hands-On Ethical Hacking and Network Defense
56
Hands-On Ethical Hacking and Network Defense
57
Summary
• Web applications can be developed on many
platforms
• HTML pages can contain
–
–
–
–
Forms
ASP
CGI
Scripting languages
• Static pages have been replaced by dynamic pages
• Dynamic Web pages can be created using CGI, ASP,
and JSP
Hands-On Ethical Hacking and Network Defense
58
Summary (continued)
• Web forms allows developers to create Web pages
with which visitors can interact
• Web applications use a variety of technologies to
connect to databases
– ODBC
– OLE DB
– ADO
• Security tests should check
– Whether the application connects to a database
– If the user is authenticated through a different server
Hands-On Ethical Hacking and Network Defense
59
Summary (continued)
• Many tools are available for security testers
– Cgiscan
– Wfetch
– OWASP open-source software
• Web applications that connect to databases might be
vulnerable to SQL injection
• There are many free tools for attacking Web servers
available in the Internet
Hands-On Ethical Hacking and Network Defense
60