Web Application Threats and Vulnerabilities
Web Server Hacking and Web Application Vulnerability
WWW
Based upon HTTP and HTML
Runs in TCP’s application layer
Runs on top of the Internet
Used to exchange information between an originating client, or user agent, and a destination server.
HTTP defined by RFC 2616:
http://www.ietf.org/rfc/rfc2616.txt
Four Client to Server Data Exchange Steps 1. DNS name resolution
2. HTTP web server waits for a GET request
3. Web server response with a status message (HTTP/1.1 200 Ok) and a message containing additional information such as HTML text for the requested Web page.
4. Client browser processes the HTML tags and presents the Web page on the client screen
Typically, uses HTTP but could also use SSL or TLS.
Unsecured HTTP traditionally operates on TCP port 80 while SSL uses 443...
Kerberos uses port 88 and Squid uses 8080 Web applications
Typically utilize CGI or ASP
Can connect to a data base.
Hacking methodologies can include:
Info gathering by scanning with Nmap, SuperScan, Amap or similar tools.
Banner grabbing to gather server type and version information.
Most widely used web servers
Apache (Most popular…)
IIS
Sun Java Application Server…
Web Server Security Issues
Attractive targets
Hackers seek to exploit server vulnerabilities and compromise websites.
Older IIS versions subject to Code Red and ISAPI attacks…
ISAPI and DLL
Internet Server Application Programming interface (ISAPI) provides application developers with a tool to extend a web server’s
functionality. Two type of ISAPI programs:
1. ISAPI filters 2. ISAPI extensions.
ISAPI filters
called from a URL
have the ability to alter information entering and leaving IIS.
Examples of applications of ISAPI filters are:
authentication and
data compression.
ISAPI extensions can also be called directly from a URL. An ISAPI extension is a dynamic link library (DLL) file that provides special functions called and loaded into memory only once, regardless of the number of clients making use of the functions.
One commonly used extension is the dynamic link library a set of programs called to perform specific functions such as printing or content indexing.
The program in the DLL is called from an executable program, and the executable passes parameters to the DLL program as needed. If the parameters are not passed properly, or if a call to the DLL is not made correctly, a General Protection Fault (GPF) will occur, or the computer will freeze.
Three basic IIS Attack Types 1. Buffer overflow
2. File system traversal 3. Source disclosure Buffer overflow examples
IPP Printer Overflow that exploits mws3ptr.dll
ISAPI DLL exploits IIS Indexing service DLL ida.dll and Data Query idg.dll
WebDAV/nt.dll
IISHack.exe where the IIS http daemon buffer is made to overflow and malicious code can then be executed.
File System Traversal
By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server…
…sometimes called, a dot dot slash attack…
Can be filtered but filtering must include Unicode and percent encoding
Source Disclosure Threat
Where IIS is manipulated to reveal the source code of a server side application.
IIS is vulnerable to file related requests involving the $DATA attribute resulting in the revelation of the contents of the file.
HTR is a first generation HTML like advance scripting technology that was never widely adopted. ASP displaced HTR…
Apache Threats
Apache chunked encoding vulnerability
Where a flaw in the Apache software misreads the size of the chunks to be received, resulting in a stack overflow and the possibility of executing malicious code.
Mod_proxy buffer overflow
Can lead to a buffer overflow in the web server, enabling the execution of malicious code that can cause a denial of service in the server.
Long URLs
Can result in server showing directory contents PHP filtering
Can allow a hacker to run malicious code on the web server URL trailing slashes
Many trailing slashes in a URL can expose a listing of the original directory
Hacking Tools
IISxploit.exe performs automated directory traversal attacks on IIS.
CleanIISLog provides a means for an attacker to cover tracks by clearing entries of his IP addresses in IIS log files.
RPC DCOM Remote procedure call distributed component object model creates a stack based buffer overflow attack because of improper
handling of TCP/IP messages … Overflow manifests in RPC DCOM interface at ports 135 or 139.
Cmdasp.asp an interactive command prompt to an ASP Web page on IIS servers. USR_Computer and IWAMPComputer user accounts represent a vulnerability in that they will execute scripts and provide a back door to the IIS server… can also send a shell back to the hacker’s PC by uploading nc.exe to the IIS web server
Iiscrack.dll similar to cmd.asp provides a path for a hacker to send commands that run on the web server with System privileges.
Ispc.exe is a client that copies the Trojan ISAPI.DLL to a web server and sets up a remote shell with System privileges.
WebInspect a vulnerability scanner that categorizes over 1,500 Web pages and can perform over 30,000 security checks
Microsoft Windows NT 4.0/2000 Unspecified Executable Path
Vulnerability enables automatic execution of Trojans when DLL files and executables are not preceded by a registry patch.
Execiis-win32.exe a directory traversal attack that uses cmd to execute commands on an IIS web server.
Patch management
Patch management is the process of organizing and directing the distribution and installation of provisional software revisions to resources on the network.
Hotfix refers to adding a patch during normal operation of the computer system.
Includes enterprise patch management policy which includes specifying and enforcing standard platform configurations.
Typical and popular examples of software tools that can support or automate the patching process include:
UpdateExpert A Windows security management utility
Qfecheck A Microsoft command line tool that allows network administrators t track and verify installed Windows 2000 and windows XP hotfixes
HFNetChk A Microsoft software engine available through the command line interface of the Microsoft Baseline Security Analyzer (MBSA)…Provides the system administrator with the ability to check the patch status of all the machines in a network from a central location by access an XML database that is kept current by Microsoft.
Cacls.exe An interactive, command line utility for Windows NT/2000/XP used for managing and storing access control lists (ACLs).
Web Application Vulnerabilities
Common Web application threats include:
Cross Site Scripting (XSS)
Remote code execution
Username enumeration
SQL injection
Cookie/Session poisoning
Command injection
Parameter/form tampering
Directory traversal
Attack obfuscation
DMZ protocol
Zero-day.
Cross Site Scripting (XSS)
In XSS, an attacker sends a specific request to a website that causes the website to send malicious Web or email code to another user.
Effectively, an attacker uses the website as an intermediary for transferring malicious code to another victim.
One example of malicious action is for the attack code to copy cookies from the victim’s computer and relay them to the attacker.
Remote code execution
Provides the means for a hacker to execute his or her system level code on a target web server.
With this an attacker can compromise the web server and access files with the same rights as the server system software.
Username enumeration
Manipulates the backend authentication script to inform a an attacker whether a submitted user name is valid. Iterations exploiting this vulnerability can aid the attacker in determining the correct user name through interpretation of error messages.
SQL Injection
Enables a hacker to acquire sensitive information stored in the database or to execute remote code.
One version of the attack occurs when the user input stream contains a string literal escape characters and these characters are not properly screened.
Cookie/Session poisoning
Process reverse engineers vulnerable cookies in order to impersonate a valid user or to gain control of a user’s session.
Command injection
Attack injects system commands into computer program variables such that they are executed on the web server.
Attack Obfuscation
The practice of obscuring or making something difficult to analyze or understand… Can prevent reverse engineering…
Zero-day
An attack that exploits vulnerability before it is generally known to the public and usually before patches for the vulnerability have been announced and distributed.
Buffer Overflow
An input validation attack that is usually the result of weak or non- existent parameter checking in the processing software.
Form/Hidden field manipulation
An altering of the data in a hidden field in order for an application to use attack related data.
Related Tools Netcat
Can be used to categorize the web server (banner grabbing) and proceed with an attack to escalate privileges and provide access to files in all portions of the web server.
Netcat can be used to read and write information non TCP and UDP networks.
Nikto
An open source web server scanner that scans for malicious files and CCIs on a variety of servers.
Wikto
A web scanning tool similar to Nikto but with added features. Probes for web server vulnerabilities such as vulnerable scripts and
directories that might be subject to compromise.
Nessus
A freely available, rule-based remote vulnerability scanner that uses script based plug ings.
Metasploit framework
Open source program that supports penetration testing of a variety of operating systems.
