Ethical Hacking

CHAPTER 10 EXPLOITING WEB SERVERS

ERIC VANDERBURG
Objectives
Describe Web applications
Explain Web application vulnerabilities
Describe the tools used to attack Web servers
Understanding Web
Applications
It is nearly impossible to write a program without bugs
Some bugs create security vulnerabilities
Web applications also have bugs
Web applications have a larger user base than standalone
applications
Bugs are a bigger problem for Web applications
Web Application
Components
Static Web pages
Created using HTML
Dynamic Web pages
Need special components
<form> tags
Common Gateway Interface (CGI)
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages
Database connectors
Web Forms
Use the <form> element or tag in an HTML document
Allows customer to submit information to the Web server
Web servers process information from a Web form by using a
Web application
Easy way for attackers to intercept data that users submit to a
Web server
Web Forms (continued)
Web form example
<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Common Gateway Interface
(CGI)
Handles moving data from a Web server to a Web browser
The majority of dynamic Web pages are created with CGI and
scripting languages
Describes how a Web server passes data to a Web browser
Relies on Perl or another scripting language to create dynamic
Web pages
CGI programs can be written in different programming and
scripting languages
Common Gateway Interface
(CGI) (continued)
CGI example
Written in Perl
Hello.pl
Should be placed in the cgi-bin directory on the Web server
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
Active Server Pages (ASP)
With ASP, developers can display HTML documents to users on
the fly
Main difference from pure HTML pages
When a user requests a Web page, one is created at that time
ASP uses scripting languages such as JScript or VBScript
Not all Web servers support ASP
Active Server Pages (ASP)
(continued)
ASP example
<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML>
Microsoft does not want users to be able to view an ASP Web
pages source code
This can create serious security problems
Apache Web Server
Tomcat Apache is another Web Server program
Tomcat Apache hosts anywhere from 50% to 60% of all Web
sites
Advantages
Works on just about any *NIX and Windows platform
It is free
Requires Java 2 Standard Runtime Environment (J2SE, version
5.0)
Using Scripting Languages
Dynamic Web pages can be developed using scripting
languages
VBScript
JavaScript
PHP
PHP: Hypertext Processor
(PHP)
Enables Web developers to create dynamic Web pages
Similar to ASP
Open-source server-side scripting language
Can be embedded in an HTML Web page using PHP tags <?php
and ?>
Users cannot see PHP code on their Web browser
Used primarily on UNIX systems
Also supported on Macintosh and Microsoft platforms
PHP: Hypertext Processor
(PHP) (continued)
PHP example
<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
As a security tester you should look for PHP vulnerabilities
ColdFusion
Server-side scripting language used to develop dynamic Web
pages
Created by the Allaire Corporation
Uses its own proprietary tags written in ColdFusion Markup
Language (CFML)
CFML Web applications can contain other technologies, such
as HTML or JavaScript
ColdFusion (continued)
CFML example
<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm"
ADDTOKEN="NO">
</body>
</html>
CFML is not exempt of vulnerabilities
VBScript
Visual Basic Script is a scripting language developed by
Microsoft
Converts static Web pages into dynamic Web pages
Takes advantage of the power of a full programming language
VBScript is also prone to security vulnerabilities
Check the Microsoft Security Bulletin for information about
VBScript vulnerabilities
VBScript (continued)
VBScript example
<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
JavaScript
Popular scripting language
JavaScript also has the power of a programming language
Branching
Looping
Testing
Variety of vulnerabilities exist for JavaScript that have been
exploited in older Web browsers
JavaScript (continued)
JavaScript example
<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command
button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>
Connecting to Databases
Web pages can display information stored on databases
There are several technologies used to connect databases with
Web applications
Technology depends on the OS used
ODBC
OLE DB
ADO
Theory is the same
Open Database Connectivity
(ODBC)
Standard database access method developed by the SQL Access
Group
ODBC interface allows an application to access
Data stored in a database management system
Any system that understands and can issue ODBC commands
Interoperability among back-end DBMS is a key feature of the
ODBC interface

Open Database Connectivity
(ODBC) (continued)
ODBC defines
Standardized representation of data types
A library of ODBC functions
Standard methods of connecting to and logging on to a DBMS

Object Linking and Embedding
Database (OLE DB)
OLE DB is a set of interfaces
Enables applications to access data stored in a DBMS
Developed by Microsoft
Designed to be faster, more efficient, and more stable than ODBC
OLE DB relies on connection strings
Different providers can be used with OLE DB depending on the
DBMS to which you want to connect
ActiveX Data Objects (ADO)
ActiveX defines a set of technologies that allow desktop
applications to interact with the Web
ADO is a programming interface that allows Web
applications to access databases
Steps for accessing a database from a Web page
Create an ADO connection
Open the database connection you just created
Create an ADO recordset
Open the recordset
Select the data you need
Close the recordset and the connection
Understanding Web Application
Vulnerabilities
Many platforms and programming languages can be used to
design a Web site
Application security is as important as network security
Attackers controlling a Web server can
Deface the Web site
Destroy or steal companys data
Gain control of user accounts
Perform secondary attacks from the Web site
Gain root access to other applications or servers
Application Vulnerabilities
Countermeasures
Open Web Application Security Project (OWASP)
Open, not-for-profit organization dedicated to finding and fighting
vulnerabilities in Web applications
Publishes the Ten Most Critical Web Application Security Vulnerabilities
Top-10 Web application vulnerabilities
Unvalidated parameters
HTTP requests are not validated by the Web server
Broken access control
Developers implement access controls but fail to test them properly
Application Vulnerabilities
Countermeasures (continued)
Top-10 Web application vulnerabilities (continued)
Broken account and session management
Enables attackers to compromise passwords or session cookies to gain
access to accounts
Cross-site scripting (XSS) flaws
Attacker can use a Web application to run a script on the Web browser of
the system he or she is attacking
Buffer overflows
It is possible for an attacker to use C or C++ code that includes a buffer
overflow

Application Vulnerabilities
Countermeasures (continued)
Top-10 Web application vulnerabilities (continued)
Command injection flaws
An attacker can embed malicious code and run a program on the
database server
Error-handling problems
Error information sent to the user might reveal information that an attacker
can use
Insecure use of cryptography
Storing keys, certificates, and passwords on a Web server can be dangerous

Application Vulnerabilities
Countermeasures (continued)
Top-10 Web application vulnerabilities (continued)
Remote administration flaws
Attacker can gain access to the Web server through the remote
administration interface
Web and application server misconfiguration
Any Web server software out of the box is usually vulnerable to attack
Default accounts and passwords
Overly informative error messages
Application Vulnerabilities
Countermeasures (continued)
WebGoat project
Helps security testers learn how to perform vulnerabilities testing on Web
applications
Developed by OWASP
WebGoat can be used to
Reveal HTML or Java code and any cookies or parameters used
Hack a logon name and password
Application Vulnerabilities
Countermeasures (continued)
WebGoat can be used to
Traverse a file system on a Windows XP computer running Apache
WebGoats big challenge
Defeat an authentication mechanism
Steal credit cards from a database
Deface a Web site
Assessing Web Applications
Security testers should look for answers to some important questions
Does the Web application use dynamic Web pages?
Does the Web application connect to a backend database server?
Does the Web application require authentication of the user?
On what platform was the Web application developed?
Does the Web Application Use
Dynamic Web Pages?
Static Web pages do not create a security environment
IIS attack example
Submitting a specially formatted URL to the attacked Web server
IIS does not correctly parse the URL information
Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/..%255c..%255cwinn
t/system32/cmd.exe?/c+dir+c
Attacker can even install a Trojan program
Does the Web Application
Connect to a Backend Database
Server?
Security testers should check for the possibility of SQL injection being
used to attack the system
SQL injection involves the attacker supplying SQL commands on a
Web application field
SQL injection examples
SELECT * FROM customer
WHERE tblusername = ' ' OR 1=1 -- ' AND tblpassword = ' '
or
SELECT * FROM customer
WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="
Does the Web Application
Connect to a Backend Database
Server? (continued)
Basic testing should look for
Whether you can enter text with punctuation marks
Whether you can enter a single quotation mark followed by any
SQL keywords
Whether you can get any sort of database error when
attempting to inject SQL
Does the Web Application Require
Authentication of the User?
Many Web applications require another server authenticate users
Examine how information is passed between the two servers
Encrypted channels
Verify that logon and password information is stored on secure
places
Authentication servers introduce a second target
On What Platform Was the Web
Application Developed?
Several different platforms and technologies can be used to
develop Web applications
Attacks differ depending on the platform and technology used to
develop the application
Footprinting is used to find out as much information as possible about a
target system
The more you know about a system the easier it is to gather information
about its vulnerabilities
Tools of Web Attackers and
Security Testers
Choose the right tools for the job
Attackers look for tools that enable them to attack the system
They choose their tools based on the vulnerabilities found on a target
system or application
Web Tools
Cgiscan.c: CGI scanning tool
Written in C in 1999 by Bronc Buster
Tool for searching Web sites for CGI scripts that can be exploited
One of the best tools for scanning the Web for systems with CGI
vulnerabilities
Web Tools (continued)
Phfscan.c
Written to scan Web sites looking for hosts that could be exploited by
the PHF bug
The PHF bug enables an attacker to download the victims /etc/passwd
file
It also allows attackers to run programs on the victims Web server by
using a particular URL
Web Tools (continued)
Wfetch: GUI tool
This tool queries the status of a Web server
It also attempts authentication using
Multiple HTTP methods
Configuration of host name and TCP port
HTTP 1.0 and HTTP 1.1 support
Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation
authentication types
Multiple connection types
Proxy support
Client-certificate support
Summary
Web applications can be developed on many platforms
HTML pages can contain
Forms
ASP
CGI
Scripting languages
Static pages have been replaced by dynamic pages
Dynamic Web pages can be created using CGI, ASP, and JSP
Summary (continued)
Web forms allows developers to create Web pages with which
visitors can interact
Web applications use a variety of technologies to connect to
databases
ODBC
OLE DB
ADO
Security tests should check
Whether the application connects to a database
If the user is authenticated through a different server
Summary (continued)
Many tools are available for security testers
Cgiscan
Wfetch
OWASP open-source software
Web applications that connect to databases might be
vulnerable to SQL injection
There are many free tools for attacking Web servers available in
the Internet