ISA 330 Introduction to Proactive System Security
Week #6
Hacking Web Servers and Applications
Philip Robbins – November 9, 2013
Information Security & Assurance Program
University of Hawai'i West Oahu
1
Hacking Web Servers and Applications
Topics
• Web Applications
• Web Servers
• Review Q&A
• Quiz #5
2
3
What are Web Applications?
Any application that uses a web browser as a
client.
– Convenient.
– Method of distribution is popular.
– Web Aps have a larger user base than standalone
applications.
4
What are Web Applications?
5
What are Web Applications?
6
What are Web Applications?
7
Web Applications and Web Servers
8
Web Applications
• Static Web Pages
– Created using HTML.
– Same information provided regardless of time or
user.
• Dynamic Web Pages
– Information provided varies.
– Special components used: forms, CGI, ASP, PHP, CF,
JavaScript, database connectors.
9
Web Applications
• Static Web Pages v.s. Dynamic Web Pages
10
Web Application Components
• Web Forms
11
Web Application Components
• Web Forms
12
Web Application Components
• Web Forms
– Uses <form> element or tag in HTML document
– Allows user to submit information to Web Server
– Web servers process information from a form using a
Web Application.
– Gives attackers an easy way to intercept submitted
data.
13
Web Application Components
• Common Gateway Interface (CGI)
– Method used to generate dynamic content for web
pages and applications.
– Provides an interface between the content within
databases and applications that generate / “serve up”
web content.
– CGI script could be in Perl, Java, Python, or any other
programming language.
– Placed in cgi-bin directory on the Web server.
14
Web Application Components
• Common Gateway Interface (CGI)
– Web server software executes CGI Script
– CGI script creates HTML page with dynamically
obtained info
Script Server
15
Web Application Components
16
Web Application Components
• Common Gateway Interface (CGI)
Which programming language? Static or Dynamic Page?
17
Web Application Components
• Common Gateway Interface (CGI)
Which programming language? Static or Dynamic Page?
18
Web Application Components
• Active Server Pages (ASP)
– Microsoft’s first server side script engine for
dynamically generated web pages.
– Not a programming language.
– Technology that allows creation of dynamic,
interactive webpages using scripting languages like
Jscript or VBScript.
– Runs only on Windows platforms.
– Web servers running IIS support ASP.
– ASP.NET supersedes ASP and is supported by IIS 5.0+
19
Web Application Components
• Active Server Pages (ASP)
20
Web Application Components
21
Web Application Components
• Active Server Pages (ASP)
Runs script and returns HTML
22
Web Application Components
• PHP: Hypertext Preprocessor (PHP)
– Similar to ASP
– Open source server side scripting language used to
create dynamic web pages.
– Embedded in HTML Web page using PHP tags:
<?php and ?>
– Shouldn’t be able to view source code in Web
browsers.
– Originally used mainly on UNIX systems.
23
Web Application Components
• PHP: Hypertext Preprocessor (PHP)
24
Web Application Components
• ColdFusion
– Another server-side scripting language for
developing dynamic Web pages.
– Uses proprietary tags.
– Written in ColdFusion Markup Language (CFML)
– Can contain other languages (e.g. HTML, JavaScript).
25
Web Application Components
• ColdFusion
26
Web Application Components
• VBScript
– Active Scripting language.
– Developed by Microsoft.
– Modeled on Visual Basic.
– Converts static web pages into dynamic web pages.
– Lightweight programming language with powerful
features.
27
Web Application Components
• VBScript
28
Web Application Components
• JavaScript
– Popular scripting language for creating dynamic web
pages.
– Widely used.
– Variety of vulnerabilities.
29
Web Application Components
• JavaScript
30
Web Application Components
• Internet Information Services (IIS)
31
Web Application Components
• Internet Information Services (IIS)
– Formally named “Internet Information Server”
– Internet Based Services installed on Web Servers
running Microsoft Windows.
32
33
Web Application Components
• Apache Web Server
34
Web Application Components
• Apache Web Server
– Another web server program.
– Runs on twice as many web servers compared to IIS
– Free
– Works on any platform (*nix and Windows)
35
Connecting to Databases
• Open Database Connectivity (ODBC)
– Programming language middleware API for accessing
database management systems (DBMS).
• Object Linking and Embedding Database (OLE DB)
– Allows applications to access data stored in a DBMS.
– Designed by Microsoft to be faster, efficient, and more
stable than ODBC.
– Depending on the data source you’re connecting to
you may use a different “provider”.
36
Connecting to Databases
• Object Linking and Embedding Database (OLE DB)
37
Connecting to Databases
• Object Linking and Embedding Database (OLE DB)
38
39
Web Application Vulnerabilities
– Many platforms and programming languages can be
used to design a Web site.
– Important to Remember:
Application security is just as important as network
security!!
Network-layer protection doesn’t prevent Applicationlayer attacks from occurring.
40
Web Application Vulnerabilities
– Attackers controlling a Web site can:
Deface the site.
Destroy the company’s database.
Steal information (PII) and sell it.
Perform other (secondary) attacks.
Gain root access to other application servers.
Exploit Server-side scripting.
41
How are Web Sites Defaced?
– Man-in-the-middle attack
– Password brute force attack of admin accounts
– DNS attack
– FTP server intrusion
– Mail server intrusion
– Rerouting after firewall attack
– SQL injection
– URL poisoning
– Web server extension intrusion
– Remote service intrusion
42
43
Top Web Application Vulnerabilities
– Cross-Site Scripting (XSS) flaws
– Injection flaws and malicious file execution
– Unsecured direct object reference (URL manipulation)
– Cross-site request forgery (CSRF)
– Information leakage and incorrect error handling
– Broken authentication and session management
– Unsecured cryptographic storage
– Unsecured communications
– Failure to restrict URL access
44
Web Application Threats
• Command injection flaws
– Allow attackers to pass malicious code to different
systems via a Web application
45
Web Application Threats
• Parameter/Form Tampering
– Takes advantage of the fact that many programmers
rely on hidden or fixed fields as the only security
measure for certain operations.
#1
#2
#3
46
Web Server Vulnerabilities
• Server Vulnerabilities
Can be exploited by hackers using their browser
address window; causing commands to be executed.
47
Web Server Vulnerabilities
• Canonicalization error in IIS 4.0 and 5.0
Enables an intruder to make use of a specific
malformed URL in order to access files and folders
located on the logical drive that includes Web folders.
48
Web Application Threats
• Cross-Site Scripting (XSS) Flaws
– Injection of malicious code in an otherwise
legitimate website.
– The injected code is executed by unsuspecting users
when they view the website, resulting in a potential
breach of privacy, session hijacking, or drive-bydownload of malware.
– Attacker takes advantage of the trust you have in a
websites security.
49
Web Application Threats
• Cross-Site Scripting (XSS) Flaws
– Attacks occur in the browser and are platform
independent.
– Two categories: reflected (non-persistent) and
stored (persistent).
50
Web Application Threats
• Cross-Site Scripting (XSS) Flaws
51
Web Application Threats
• Cross-Site Scripting (XSS) Flaws
Payload is stored on the website
52
Web Application Threats
• Cookie/Session Poisoning
– Cookies frequently transmit sensitive credentials.
– Can be modified with relative ease in order to
escalate access or assume another user’s identity.
– Modify cost of purchases.
53
Web Application Threats
• Buffer / Stack Overflow
– Execution stack of a Web application is damaged
when a buffer overflows.
54
Web Application Threats
• Directory Traversal/Forceful Browsing
– Attacker is able to browse for directories and files
outside the normal application access.
55
Web Application Threats
• Attack Obfuscation
– Attackers often work hard to mask or hide their
attacks, and avoid detection by encoding their
requests with methods such as URL encoding using
Unicode.
56
Web Application Threats
• Platform Exploits
– Web applications are built upon application
platforms.
– Platforms are well understood and have well-known
vulnerabilities with associated exploits.
57
Web Application Threats
• Cryptographic Interception
– Attackers attack sensitive handoff points where data
is temporarily unprotected.
58
Web Application Threats
• Authentication Hijacking
– Insecure credential and identity management can
lead to account hijacking and theft of services.
• Log Tampering
– Attacker, in an attempt to cover tracks, will usually
delete logs, modify logs, change user information,
and otherwise destroy all evidence of the attack.
• Error Message Interception
– Error messages that contain site-specific information
allow attackers to learn private application
architectures.
59
Web Application Threats
• Network Access Attacks
– Attacks using techniques such as spoofing, bridging,
ACL attacks, and stack attacks, attempt to pass
through intended access control and routing
policies.
• TCP Fragmentation
– Fragmenting an attack into multiple TCP packets
allows attackers to slip by devices that inspect only
the packets and not the entire session.
60
61
SQL – WTF is it?
• Structured Query Language (SQL)
– Pronounced “sequel”
– Newbs pronounce it “ess cue ell”
– Programming Language
– Manages data in databases
– One of the most common vulnerabilities today!
62
SQL – WTF is it?
• Structured Query Language (SQL)
63
Web Application Threats
• SQL Injection
– Uses command sequences from SQL statements to
control database data directly.
64
Web Application Threats
• SQL Injection
– Login Bypass
65
Web Application Threats
• SQL Injection Login Bypass
The power of: ‘
Closes the string parameter. Therefore anything after it
is considered part of the SQL command.
Comments: /*
*/ -Because anything after the -- will be ignored, the
injection will work even without any specific injection
into the password field.
66
Web Application Threats
• SQL Injection
– Disruption
I don’t care about the data; I just want to bring the
application down.
67
Protecting our Web Applications & Servers
68
Assessing our Web Applications & Servers
• Look for answers to some important questions:
– Does the Web application use dynamic Web pages?
– Does the Web application connect to a back-end
database server?
– Does the Web application require authentication of
the user?
– On what platform was the Web application
developed?
– Follow the flow of information: Is encryption (SSL)
being used?
69
Protecting our Web Servers
• Patches, Hotfixes, Patch Management
• Vulnerability scanners
• Online Vulnerability Search Engine (NVD)
• Implement Authentication Methods
• Application + Network Protection
• Utilize IDS / IPS, VLAN’s, & DMZ’s
• Logging
70
Protecting our Web Applications & Servers
• Capturing and maintaining system log files is an
important part of Web server administration.
• Rules for IIS Logging
– Configure the IIS logs to record every available field
– Capture events with a proper time stamp
– Ensure continuity in the logs
– Ensure that logs are not modified in any way after
they have been originally recorded
– Log Backups / Storage location
71
Protecting our Web Applications & Servers
– Use of Firewalls
– Administrator Account Renaming
– Disabling Default Web Sites
– Removal of Unused Application Mappings
– Disabling Directory Browsing
– Legal Notices
– Checking for Malicious Input in Forms and Query
Strings
– Disabling Remote Administration
– Web Server Security Checklists / SOP’s
– Database Table Honeypots & SQL Whitelists
72
Review Questions
• Question #1
The following code is an example of what language?
<Body>
<%
Dim strLastname, strFirstname
strLastname = Request.Form(“Last”)
strFirstname = Request.Form(“First”)
%>
a.
b.
c.
d.
PHP
HTML
ASP
JScript
73
Review Questions
• Question #1
The following code is an example of what language?
<Body>
<%
Dim strLastname, strFirstname
strLastname = Request.Form(“Last”)
strFirstname = Request.Form(“First”)
%>
a.
b.
c.
d.
PHP
HTML
ASP
JScript
74
Review Questions
• Question #2
Which of the following can be used to create dynamic
Web pages? (Choose all that apply.)
a.
b.
c.
d.
ColdFusion
PHP
ASP
MySQL
75
Review Questions
• Question #2
Which of the following can be used to create dynamic
Web pages? (Choose all that apply.)
a.
b.
c.
d.
ColdFusion
PHP
ASP
MySQL
76
Review Questions
• Question #3
Which of the following can be used to connect a Web
server to a back-end database server?
a.
b.
c.
d.
ODBC
OLE DB
ADO
HTML
77
Review Questions
• Question #3
Which of the following can be used to connect a Web
server to a back-end database server?
a.
b.
c.
d.
ODBC
OLE DB
ADO
HTML
78
Review Questions
• Question #4
Entering the value ‘ OR 1=1 in a Web application that has
“Enter Your PIN” as a field is most likely an example of
which attack?
a.
b.
c.
d.
SQL injection
Code injection
Buffer overflow
Ethernet flaw
79
Review Questions
• Question #4
Entering the value ‘ OR 1=1 in a Web application that has
“Enter Your PIN” as a field is most likely an example of
which attack?
a.
b.
c.
d.
SQL injection
Code injection
Buffer overflow
Ethernet flaw
80
Review Questions
• Question #5
Entering the URL
http://www.abc.com/%55/%55/%55/%55/%55
in a Web browser is an example of what exploit?
a.
b.
c.
d.
Buffer overflow
Unicode exploit
Worm injection
SQL injection
81
Review Questions
• Question #5
Entering the URL
http://www.abc.com/%55/%55/%55/%55/%55
in a Web browser is an example of what exploit?
a.
b.
c.
d.
Buffer overflow
Unicode exploit
Worm injection
SQL injection
82
Review Questions
• Question #6
The AccessFileName directive in Apache, along with a
configuration file (such as .htaccess), can be used to
perform which of the following on a Web site?
a. Run malicious code in the browser.
b. Protect against XSS worms.
c. Restrict directory access to those who authorized user
credentials.
d. Scan for CGI vulnerabilities.
83
Review Questions
• Question #6
The AccessFileName directive in Apache, along with a
configuration file (such as .htaccess), can be used to
perform which of the following on a Web site?
a. Run malicious code in the browser.
b. Protect against XSS worms.
c. Restrict directory access to those who authorized user
credentials.
d. Scan for CGI vulnerabilities.
84
Review Questions
• Question #7
Which of the following is an open-source technology for
creating dynamic HTML Web pages?
a.
b.
c.
d.
ASP
PHP
Java
Oracle
85
Review Questions
• Question #7
Which of the following is an open-source technology for
creating dynamic HTML Web pages?
a.
b.
c.
d.
ASP
PHP
Java
Oracle
86
Review Questions
• Question #8
CGI is used in Microsoft ASP Pages.
a. TRUE
b. FALSE
87
Review Questions
• Question #8
CGI is used in Microsoft ASP Pages.
a. TRUE
b. FALSE
88
Review Questions
• Question #9
Which of the following is used to connect an ASP Web
page to an Oracle database?
a.
b.
c.
d.
ADO
HTML
CGA
OLE DB
89
Review Questions
• Question #9
Which of the following is used to connect an ASP Web
page to an Oracle database?
a.
b.
c.
d.
ADO
HTML
CGA
OLE DB
90
Review Questions
• Question #10
What tags identify ColdFusion as the scripting language?
a.
b.
c.
d.
<# #>
<% %>
The letters CF
<! /!>
91
Review Questions
• Question #10
What tags identify ColdFusion as the scripting language?
a.
b.
c.
d.
<# #>
<% %>
The letters CF
<! /!>
92
Review Questions
• Question #11
An HTML Web page containing ASP code must be
compiled before running.
a. TRUE
b. FALSE
93
Review Questions
• Question #11
An HTML Web page containing ASP code must be
compiled before running.
a. TRUE
b. FALSE
94
Review Questions
• Question #12 (last one)
IIS is used on more than twice as many Web servers as
Apache Web Server.
a. TRUE
b. FALSE
95
Review Questions
• Question #12 (last one)
IIS is used on more than twice as many Web servers as
Apache Web Server.
a. TRUE
b. FALSE
96
Questions?
probbins@hawaii.edu
www2.hawaii.edu/~probbins
https://www.dorkatron.com/docs/ISA330/
97