chapter 10 web hacking revised 10-29-12. web server hacking
TRANSCRIPT
Chapter 10Chapter 10
Web HackingWeb Hacking
Revised 10-29-12
Web Server Hacking Web Server Hacking
Popular Web ServersPopular Web Servers
Microsoft IIS/ASP/ASP.NETMicrosoft IIS/ASP/ASP.NET
LAMP (Linux/Apache/MySQL/PHP)LAMP (Linux/Apache/MySQL/PHP)
Oracle WebLogicOracle WebLogic– Link Ch 10jLink Ch 10j
IBM WebSphereIBM WebSphere– Link Ch 10kLink Ch 10k
IISIISPopularPopularat Bigat Big
CompaniesCompanies
– Link Ch 10lLink Ch 10l
Link Ch 10mLink Ch 10m
Attacking Web Server Attacking Web Server VulnerabilitiesVulnerabilities
An attacker with the right set of tools and An attacker with the right set of tools and ready-made exploits can bring down a ready-made exploits can bring down a vulnerable web server in minutesvulnerable web server in minutes
Some of the most devastating Internet Some of the most devastating Internet worms have historically exploited these worms have historically exploited these kinds of vulnerabilities kinds of vulnerabilities – Code Red and Nimda attacked IIS Code Red and Nimda attacked IIS
vulnerabilitiesvulnerabilities
Why the Risk is DecreasingWhy the Risk is Decreasing
The risk of such attacks is decreasing, The risk of such attacks is decreasing, because:because:– Newer versions of Web servers are less Newer versions of Web servers are less
vulnerablevulnerable– System administrators are better at System administrators are better at
configuring the platformsconfiguring the platforms– Vendor's "best practices" documents are Vendor's "best practices" documents are
betterbetter– Patches come out more rapidlyPatches come out more rapidly
Why the Risk is DecreasingWhy the Risk is Decreasing
Countermeasures are available, such as:Countermeasures are available, such as:– Sanctum/Watchfire's AppShield Sanctum/Watchfire's AppShield
A Web application firewall (link Ch_12n)A Web application firewall (link Ch_12n)
Microsoft's URLScan Microsoft's URLScan – Built in to IIS 6 and IIS 7Built in to IIS 6 and IIS 7
Link Ch_12oLink Ch_12o
Automated vulnerability-scanning products Automated vulnerability-scanning products and tools are availableand tools are available
Web Server Vulnerabilities Web Server Vulnerabilities
Sample filesSample files
Source code disclosureSource code disclosure
CanonicalizationCanonicalization
Server extensionsServer extensions
Input validation (for example, buffer Input validation (for example, buffer overflows)overflows)
Denial od ServiceDenial od Service
Sample filesSample files
Sample scripts and code snippets to illustrate creative Sample scripts and code snippets to illustrate creative use of a platformuse of a platformIn Microsoft's IIS 4.0 In Microsoft's IIS 4.0 – Sample code was installed by default Sample code was installed by default – showcode. asp and codebrews.asp showcode. asp and codebrews.asp – These files enabled an attacker to view almost any file on the These files enabled an attacker to view almost any file on the
server like this:server like this:
http://192.168.51.101/msadc/Samples/http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?SELECTOR/showcode.asp?source=/../.. /../../../boot.ini source=/../.. /../../../boot.ini
http://192.168.51.101/iissamples/exair/http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?howitworks/codebrws.asp?source= source= /../../../../../winnt/repair/setup.log/../../../../../winnt/repair/setup.log
Sample Files CountermeasureSample Files Countermeasure
Remove sample files from production Remove sample files from production webserverswebservers
If you need the sample files, you can get If you need the sample files, you can get patches to improve thempatches to improve them– ColdFusion Expression Evaluator patchColdFusion Expression Evaluator patch– Link Ch 10pLink Ch 10p
Source Code Disclosure Source Code Disclosure
IIS 4 and 5 could reveal portions of source code IIS 4 and 5 could reveal portions of source code through the HTR vulnerability (Link Ch 10q)through the HTR vulnerability (Link Ch 10q)
Apache Tomcat and Oracle WebLogic had Apache Tomcat and Oracle WebLogic had similar issuessimilar issues
Attack URLs:Attack URLs:http://www.iisvictim.example/global.asa+.htrhttp://www.iisvictim.example/global.asa+.htr
http://www.weblogicserver.example/index.js%70http://www.weblogicserver.example/index.js%70
http://www.tomcatserver.example/examples/jsp/num/http://www.tomcatserver.example/examples/jsp/num/
numguess.js%70numguess.js%70
Source Code Disclosure Source Code Disclosure CountermeasuresCountermeasures
Apply patches (these vulnerabilities were Apply patches (these vulnerabilities were patched long ago)patched long ago)
Remove unneeded sample filesRemove unneeded sample files
Never put sensitive data in source code of Never put sensitive data in source code of filesfiles– You can never be sure source code is hidden You can never be sure source code is hidden
Canonicalization Attacks Canonicalization Attacks
There are many ways to refer to the same There are many ways to refer to the same filefile
C:\text.txtC:\text.txt
..\text.txt ..\text.txt
\\computer\C$\text.txt\\computer\C$\text.txt
The process of resolving a resource to The process of resolving a resource to a standard (canonical) name is called a standard (canonical) name is called canonicalizationcanonicalization
ASP::$DATA VulnerabilityASP::$DATA Vulnerability
Affected IIS 4 and earlier versionsAffected IIS 4 and earlier versions
Just adding ::$DATA to the end of an ASP Just adding ::$DATA to the end of an ASP page's URL revealed the source codepage's URL revealed the source codehttp://xyz.com/myasp.asp::$DATA http://xyz.com/myasp.asp::$DATA
Link Ch 10rLink Ch 10r
Apache Canonicalization Apache Canonicalization Vulnerability (from 2006)Vulnerability (from 2006)
When installed on Windows, capitalizing When installed on Windows, capitalizing CGI-BIN revealed source code for scriptsCGI-BIN revealed source code for scripts– http://target.com/CGI-BIN/script.plhttp://target.com/CGI-BIN/script.pl
CountermeasureCountermeasure– Store scripts in a directory outside the Store scripts in a directory outside the
document treedocument tree
Link Ch 10z10Link Ch 10z10
Unicode/Double Decode Unicode/Double Decode Vulnerabilities (from 2000)Vulnerabilities (from 2000)
Strings like %c0%af could be used to Strings like %c0%af could be used to sneak characters like \ past URL filterssneak characters like \ past URL filters
Attack URL example:Attack URL example:
http://10.1.1.3/scripts/http://10.1.1.3/scripts/..%c0%af..%c0%af..%c0%af....%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir/winnt/system32/cmd.exe?/c+dir
Exploited by the Nimda wormExploited by the Nimda worm
Image from Link Ch 10z11 Image from Link Ch 10z11 (http://webhacking.org.ua/042.htm)(http://webhacking.org.ua/042.htm)
Canonicalization Attack Canonicalization Attack CountermeasuresCountermeasures
Patch your Web platformPatch your Web platformCompartmentalize your application Compartmentalize your application directory structure directory structure – Limit access of Web Application user to Limit access of Web Application user to
minimal requiredminimal required
Clean URLs with URLScan and similar Clean URLs with URLScan and similar productsproducts– Remove Unicode or double-hex-encoded Remove Unicode or double-hex-encoded
characters before they reach the servercharacters before they reach the server
Server Extensions Server Extensions
Code libraries tacked on to the core HTTP Code libraries tacked on to the core HTTP engine to provide extra featuresengine to provide extra features– Dynamic script execution (for example, Dynamic script execution (for example,
Microsoft ASP)Microsoft ASP)– Site indexingSite indexing– Internet Printing Protocol Internet Printing Protocol – Web Distributed Authoring and Versioning Web Distributed Authoring and Versioning
(WebDAV)(WebDAV)– Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Server ExtensionsServer Extensions
Each of these extensions has Each of these extensions has vulnerabilities, such as buffer overflowsvulnerabilities, such as buffer overflows
Microsoft WebDAV "Translate: f" problem Microsoft WebDAV "Translate: f" problem – Add "translate: f" to header of the HTTP GET Add "translate: f" to header of the HTTP GET
request, and a \ to the end of the URLrequest, and a \ to the end of the URL– Reveals source codeReveals source code
Links Ch 10u, vLinks Ch 10u, v
Server Extensions Exploitation Server Extensions Exploitation CountermeasuresCountermeasures
Patch or disable vulnerable extensionsPatch or disable vulnerable extensions– The The Translate: fTranslate: f problem was patched long problem was patched long
agoago
Buffer Overflows Buffer Overflows
Web servers, like all other computers, can Web servers, like all other computers, can be compromised by buffer overflowsbe compromised by buffer overflows
The Web server is easy to find, and The Web server is easy to find, and connected to the Internet, so it is a connected to the Internet, so it is a common targetcommon target
Famous Buffer OverflowsFamous Buffer Overflows
IIS HTR Chunked Encoding Transfer Heap IIS HTR Chunked Encoding Transfer Heap OverflowOverflow– Affects Microsoft IIS 4.0, 5.0, and 5.1Affects Microsoft IIS 4.0, 5.0, and 5.1– Leads to remote denial of service or remote code Leads to remote denial of service or remote code
execution at the IWAM_ execution at the IWAM_ MACHINENAMEMACHINENAME privilege privilege levellevel
IIS's Indexing Service extension (idq.dll)IIS's Indexing Service extension (idq.dll)– A buffer overflow used by the infamous Code Red A buffer overflow used by the infamous Code Red
wormworm
Internet Printing Protocol (IPP) vulnerabilityInternet Printing Protocol (IPP) vulnerability
Famous Buffer OverflowsFamous Buffer Overflows
Apache mod_rewrite vulnerabilityApache mod_rewrite vulnerability– Affects all versions up to and including Apache 2.2.0Affects all versions up to and including Apache 2.2.0– Results in remote code execution at the web server Results in remote code execution at the web server
contextcontext
Famous Buffer OverflowsFamous Buffer Overflows
Apache mod_ssl vulnerabilityApache mod_ssl vulnerability– Also known as the Slapper wormAlso known as the Slapper worm– Affects all versions up to and including Apache 2.0.40Affects all versions up to and including Apache 2.0.40– Results in remote code execution at the super-user Results in remote code execution at the super-user
levellevel
Apache also suffered from a vulnerability in the Apache also suffered from a vulnerability in the way it handled HTTP requests encoded with way it handled HTTP requests encoded with chunked encodingchunked encoding– Resulted in a worm dubbed "Scalper"Resulted in a worm dubbed "Scalper"– Thought to be the first Apache worm Thought to be the first Apache worm
Buffer Overflow CountermeasuresBuffer Overflow Countermeasures
Apply software patchesApply software patches
Scan your server with a vulnerability Scan your server with a vulnerability scanner scanner
Denial of ServiceDenial of Service
Hacktivism is the new ego-driven attackHacktivism is the new ego-driven attack
Low Orbit Ion CannonLow Orbit Ion Cannon– Simple attack toolSimple attack tool
th3j3st3r's XerXesth3j3st3r's XerXes– Appears to perform layer 7 attacks, like Appears to perform layer 7 attacks, like
SlowLoris and RUDYSlowLoris and RUDY
Link Ch 10z_12Link Ch 10z_12
Web Server Vulnerability Scanners Web Server Vulnerability Scanners
Nikto checks for common Web Nikto checks for common Web server vulnerabilitiesserver vulnerabilities– It is not subtle—it leaves obvious It is not subtle—it leaves obvious
traces in log filestraces in log files– Link Ch 10z01Link Ch 10z01
Nessus/OpenVASNessus/OpenVAS– Not directly focused on web Not directly focused on web
serversservers
Nikto DemonstrationNikto Demonstration
Scan DVL Web Server with NiktoScan DVL Web Server with Nikto
Web Application HackingWeb Application Hacking
Web Application Hacking Web Application Hacking
Attacks on applications themselves, as Attacks on applications themselves, as opposed to the web server software upon opposed to the web server software upon which these applications runwhich these applications run
The same techniquesThe same techniques– Input-validation attacksInput-validation attacks– Source code disclosure attacksSource code disclosure attacks– etc.etc.
Finding Vulnerable Web Apps with Finding Vulnerable Web Apps with Google DorksGoogle Dorks
You can find unprotected directories with You can find unprotected directories with searches like this:searches like this:– "Index of /admin""Index of /admin"– "Index of /password""Index of /password"– "Index of /mail""Index of /mail"
You can find password hints, vulnerable Web You can find password hints, vulnerable Web servers with FrontPage, MRTG traffic analysis servers with FrontPage, MRTG traffic analysis pages, .NET information, improperly configured pages, .NET information, improperly configured Outlook Web Access (OWA) servers…Outlook Web Access (OWA) servers…And many moreAnd many more– Link Ch 1aLink Ch 1a
Web Crawling Web Crawling
Examine a Web site carefully for Low Examine a Web site carefully for Low Hanging Fruit Hanging Fruit – Local path informationLocal path information– Backend server names and IP addressesBackend server names and IP addresses– SQL query strings with passwordsSQL query strings with passwords– Informational comments Informational comments
Look in static and dynamic pages, include Look in static and dynamic pages, include and other support files, source codeand other support files, source code
Web-Crawling Tools Web-Crawling Tools
wget is a simple command-line tool to wget is a simple command-line tool to download a page, and can be used in download a page, and can be used in scriptsscripts– Available for Linux and WindowsAvailable for Linux and Windows– Link Ch 10z03Link Ch 10z03
HTTrack Website CopierHTTrack Website Copier– Free cross-platform applicationFree cross-platform application– Link Ch 10z13Link Ch 10z13
Web Application Assessment Web Application Assessment
Once the target application content has Once the target application content has been crawled and thoroughly analyzedbeen crawled and thoroughly analyzed
Probe the features of the applicationProbe the features of the application– AuthenticationAuthentication– Session managementSession management– Database interactionDatabase interaction– Generic input validationGeneric input validation– Application logicApplication logic
Tools for Web Application Tools for Web Application HackingHacking
Browser plug-insBrowser plug-ins
Free tool suitesFree tool suites
Commercial web application scannersCommercial web application scanners
Tamper Data ProjectTamper Data Project
Acts like a proxy serverActs like a proxy server
You can see POST data and alter itYou can see POST data and alter it
This will defeat client-side validationThis will defeat client-side validation
JavaScript DebuggerJavaScript Debugger
Examine and step through JavaScriptExamine and step through JavaScript
Tool SuitesTool Suites
Proxies sit between client and Web Proxies sit between client and Web application server, like a man-in-the-application server, like a man-in-the-middle attackmiddle attack
Microsoft Fiddler can intercept and log Microsoft Fiddler can intercept and log requests and responsesrequests and responses
WebGoat DemoWebGoat Demo
Tools for Web Application Tools for Web Application Assessment Assessment
WebScarabWebScarab– Allows user to intercept and alter HTTPAllows user to intercept and alter HTTP– Includes spidering and fuzzingIncludes spidering and fuzzing– Runs on any platformRuns on any platform– Free, from OWASPFree, from OWASP
Burp SuiteBurp Suite– Proxy, Repeater, Sequencer, Spider, IntruderProxy, Repeater, Sequencer, Spider, Intruder– Powerful tool to craft automated attacksPowerful tool to craft automated attacks– Free version is limitedFree version is limited
Expensive Commercial ToolsExpensive Commercial Tools
HP WebInspect and Security ToolkitHP WebInspect and Security Toolkit
Rational AppScanRational AppScan
Cenzic HailstormCenzic Hailstorm
Cenzic HailstormCenzic Hailstorm
Highly rated commercial Web applicaion vulnerability Highly rated commercial Web applicaion vulnerability scannerscanner– Links Ch 11o, 11pLinks Ch 11o, 11p
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
Common Web Application Common Web Application VulnerabilitiesVulnerabilities
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
SQL InjectionSQL Injection
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)
HTTP Response SplittingHTTP Response Splitting
Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) Attacks
One user injects code that attacks another userOne user injects code that attacks another user
Common on guestbooks, comment pages, Common on guestbooks, comment pages, forums, etc.forums, etc.
Caused by failure to filter out HTML tagsCaused by failure to filter out HTML tags– These characters < > " &These characters < > " &– Also watch out for hex-encoded versionsAlso watch out for hex-encoded versions
%3c instead of <%3c instead of <
%3e instead of >%3e instead of >
%22 instead of "%22 instead of "
<script>alert("XSS vulnerability!")</script><script>alert("XSS vulnerability!")</script> <script>alert(document.cookie)</script><script>alert(document.cookie)</script> <script>window.location="http://www.ccsf.edu"</script><script>window.location="http://www.ccsf.edu"</script>
5252
XSS Scripting EffectsXSS Scripting Effects
Steal another user's authentication Steal another user's authentication cookiecookie– Hijack sessionHijack session
Harvest stored passwords from the Harvest stored passwords from the target's browsertarget's browser
Take over machine through browser Take over machine through browser vulnerabilityvulnerability
Redirect WebpageRedirect Webpage
Many, many other evil things…Many, many other evil things…5353
Common XSS Payloads Common XSS Payloads
See Link Ch 10z06See Link Ch 10z06
Cross-Site Scripting Cross-Site Scripting Countermeasures Countermeasures
Filter out < > ( ) # & and the variants of themFilter out < > ( ) # & and the variants of themHTML-encode output, so a character like < HTML-encode output, so a character like < becomes < -- that will stop scripts from runningbecomes < -- that will stop scripts from runningIn IE 6 SP1 or later, an application can set In IE 6 SP1 or later, an application can set HttpOnly Cookies, which prevents them from HttpOnly Cookies, which prevents them from being accessed by scriptsbeing accessed by scripts
Analyze your applications for XSS vulnerabilitiesAnalyze your applications for XSS vulnerabilities– Fix the errors you findFix the errors you find
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
SQL Injection SQL Injection
SQL Injection ComicSQL Injection Comic
xkcd.org – a great comicxkcd.org – a great comic
Link Ch 10iLink Ch 10i
Automated SQL Injection Tools Automated SQL Injection Tools
HavijHavijsqlmapsqlmapSQL Power InjectorSQL Power InjectorAbsintheAbsintheSqlninjaSqlninja
SQL Injection Countermeasures SQL Injection Countermeasures
Perform strict input validationPerform strict input validationReplace direct SQL statements with Replace direct SQL statements with
stored procedures, prepared statements, stored procedures, prepared statements, or ADO command objectsor ADO command objects– That way they can't be modifiedThat way they can't be modified
Implement default error handlingImplement default error handling– Use a general error message for all errorsUse a general error message for all errors
SQL Injection Countermeasures SQL Injection Countermeasures
Lock down ODBCLock down ODBC– Disable messaging to clients. Don't let regular Disable messaging to clients. Don't let regular
SQL statements through. This ensures that no SQL statements through. This ensures that no client, not just the web application, can client, not just the web application, can execute arbitrary SQL.execute arbitrary SQL.
Lock down the database server Lock down the database server configurationconfiguration– Specify users, roles, and permissions, so Specify users, roles, and permissions, so
even if SQL statements are injected, they even if SQL statements are injected, they can't do any harmcan't do any harm
SQL Injection Countermeasures SQL Injection Countermeasures
Use Programmatic FrameworksUse Programmatic Frameworks– Tools such as Hibernate or LINQTools such as Hibernate or LINQ– Encourage the use of bind variablesEncourage the use of bind variables
Microsoft's Source Code Analyzer for SQL Microsoft's Source Code Analyzer for SQL Injection toolInjection tool– Link Ch 10z14Link Ch 10z14
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)Hijack a session by stealing cookiesHijack a session by stealing cookiesWe did this with hamster and ferretWe did this with hamster and ferret
HTTP Response SplittingHTTP Response Splitting
Trick user into clicking on a malicious URLTrick user into clicking on a malicious URLIf server response contains user input, the If server response contains user input, the
HTTP response can be prematurely HTTP response can be prematurely terminated and a extra code can be terminated and a extra code can be insertedinserted
Result similar to XSSResult similar to XSSCountermeasures:Countermeasures:
– Validate inputValidate input
HTTP Response SplittingHTTP Response Splitting
In WebGoatIn WebGoat
Other AttacksOther Attacks
Misuse of hidden tagsMisuse of hidden tagsServer Side IncludesServer Side IncludesDatabase hackingDatabase hacking
– Database discoveryDatabase discovery– Database vulnerabilitiesDatabase vulnerabilities
Network attacksNetwork attacksDatabase engine bugsDatabase engine bugsVulnerable built-in stored objectsVulnerable built-in stored objectsWeak or default passwordsWeak or default passwords