SlideShare a Scribd company logo

Ch 10: Hacking Web Servers

•
•
Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610. Instructor: Sam Bowne Class website: https://samsclass.info/123/123_S17.shtml

Education
1 of 76
Download to read offline
Hands-On Ethical Hacking and Network Defense
 3rd Edition Chapter 10 Hacking Web Servers Revised 1-11-17
Objectives • Describe Web applications • Explain Web application vulnerabilities • Describe the tools used to attack Web servers
Client’s Browser Internet Explorer or Firefox Web Server IIS or Apache HTTP HTTPS
Web Servers • The two main Web servers are Apache (Open source) and IIS (Microsoft) ■ Link Ch 10c
Understanding Web Applications • It is nearly impossible to write a program without bugs • Some bugs create security vulnerabilities • Web applications also have bugs • Web applications have a larger user base than standalone applications • Bugs are a bigger problem for Web applications
Web Application Components • Static Web pages • Created using HTML • Dynamic Web pages • Need special components • <form> tags • Common Gateway Interface (CGI) scripts • Active Server Pages (ASP) • PHP • ColdFusion • Scripting languages like JavaScript • ODBC (Open Database connector)
Web Forms • Use the <form> element or tag in an HTML document • Allows customer to submit information to the Web server • Web servers process information from a Web form by using a Web application • Easy way for attackers to intercept data that users submit to a Web server
Web Forms (continued) • Web form example <html><body> <form> Enter your username: <input type="text" name="username"> <br> Enter your password: <input type="text" name="password"> </form></body></html>
Client’s Browser HTML Forms JavaScript Web Server CGI Scripts HTTP HTTPS
Common Gateway Interface (CGI) • Handles moving data from a Web server to a Web browser • The majority of dynamic Web pages are created with CGI and scripting languages • Describes how a Web server passes data to a Web browser • Relies on Perl or another scripting language to create dynamic Web pages
CGI Languages • CGI programs can be written in different programming and scripting languages • C or C++ • Perl • Unix shell scripting • Visual Basic • FORTRAN
Common Gateway Interface (CGI) (continued) • CGI example ■ Written in Perl ■ Hello.pl ■ Should be placed in the cgi-bin directory on the Web server #!/usr/bin/perl print "Content-type: text/htmlnn"; print "Hello Security Testers!";
Another CGI Example • Link Ch 10a: Sam’s Feedback Form • Link Ch 10b alternate (at bottom of page): CGI Script in Perl that processes the data from the form
Active Server Pages (ASP) • Microsoft’s server-side script engine • HTML pages are static—always the same • ASP creates HTML pages as needed. They are not static • ASP uses scripting languages such as JScript or VBScript • Not all Web servers support ASP • IIS supports ASP • Apache doesn’t support ASP as well
Active Server Pages (ASP) • You can’t see the source of an ASP page from a browser • This makes it harder to hack into, although not impossible • ASP examples at links 
 Ch 10d, e, f
Apache Web Server • Apache is the most popular Web Server program • Advantages • Stable and reliable • Works on just about any *NIX and Windows platform • It is free and open source • See links Ch 10g, 10h
Using Scripting Languages • Dynamic Web pages can be developed using scripting languages • VBScript • JavaScript • PHP
PHP: Hypertext Processor (PHP) • Enables Web developers to create dynamic Web pages • Similar to ASP • Open-source server-side scripting language • Can be embedded in an HTML Web page using PHP tags <?php and ?> • Users cannot see PHP code in their Web browser • Used primarily on UNIX systems • Also supported on Macintosh and Microsoft platforms
PHP Example <html><head><title>Example</title></head> <body> <?php echo 'Hello, World!'; ?> </body></html> ■ See links Ch 10k, 10l • PHP has known vulnerabilities • See links Ch 10m, 10n • PHP is often used with MySQL Databases
ColdFusion • Server-side scripting language used to develop dynamic Web pages • Created by the Allaire Corporation • Purchased by Macromedia, now owned by Adobe -- Expensive • Uses its own proprietary tags written in ColdFusion Markup Language (CFML) • CFML Web applications can contain other technologies, such as HTML or JavaScript
ColdFusion Example <html><head><title>Ex</title></head> <body> <CFLOCATION URL="www.isecom.org/cf/ index.htm" ADDTOKEN="NO"> </body> </html> ■ See links Ch 10o
ColdFusion Vulnerabilities • See links Ch 10p, 10q
VBScript • Visual Basic Script is a scripting language developed by Microsoft • You can insert VBScript commands into a static HTML page to make it dynamic • Provides the power of a full programming language • Executed by the client’s browser
VBScript Example <html><body> <script type="text/vbscript"> document.write("<h1>Hello!</h1>") document.write("Date Activated: " & date()) </script> </body></html> • See link Ch 10r – works in IE, but not in Firefox • Firefox does not support VBScript (link Ch 10s)
VBScript vulnerabilities ■ See links Ch 10t, 10u
JavaScript • Popular scripting language • JavaScript also has the power of a programming language • Branching • Looping • Testing
JavaScript Example <html><head> <script type="text/javascript"> function chastise_user(){ alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus( )} </script></head> <body><h3>Don't click the button!</h3> <form> <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> </form></body></html> ■ See link Ch 10v – works in IE and Firefox
JavaScript Vulnerabilities See link Ch 10w
Client’s Browser HTTPorHTTPSWeb Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC or OLE DB Or ADO
Connecting to Databases • Web pages can display information stored on databases • There are several technologies used to connect databases with Web applications • Technology depends on the OS used • ODBC • OLE DB • ADO • Theory is the same
Open Database Connectivity (ODBC) • Standard database access method developed by the SQL Access Group • ODBC interface allows an application to access • Data stored in a database management system (DBMS) • Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commands • Interoperability among back-end DBMS is a key feature of the ODBC interface
Open Database Connectivity (ODBC) (continued) • ODBC defines • Standardized representation of data types • A library of ODBC functions • Standard methods of connecting to and logging on to a DBMS
OLE DB and ADO • Object Linking and Embedding Database (OLE DB) and • ActiveX Data Objects (ADO) • These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal Data Access“ • See link Ch 10x
Understanding Web Application Vulnerabilities • Many platforms and programming languages can be used to design a Web site • Application security is as important as network security
Attackers controlling a Web server can ■ Deface the Web site ■ Destroy or steal company’s data ■ Gain control of user accounts ■ Perform secondary attacks from the Web site ■ Gain root access to other applications or servers
Open Web Application Security Project (OWASP) ■ Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applications ■ Publishes the Ten Most Critical Web Application Security Vulnerabilities
Top-10 Web application vulnerabilities • Cross-site scripting (XSS) flaws • Attackers inject code into a web page, such as a forum or guestbook • When others user view the page, confidential information is stolen • See link Ch 10za • Command injection flaws • An attacker can embed malicious code and run a program on the database server • Example: SQL Injection
Top-10 Web application vulnerabilities • Malicious file execution • Users allowed to upload or run malicious files • Unsecured Direct Object Reference • Information in the URL allows a user to reference files, directories, or records • Cross-site Request Forgery (CSRF) • Stealing an authenticated session, by replaying a cookie or other token
Top-10 Web application vulnerabilities • Information Leakage and Incorrect Error Handling • Error messages that give away too much information • Broken Authentication and Session Management • Allow attackers to steal cookies or passwords
Top-10 Web application vulnerabilities • Unsecured cryptographic Storage • Storing keys, certificates, and passwords on a Web server can be dangerous • Unsecured Communication • Using HTTP instead of HTTPS • Failure to Restrict URL Access • Security through obscurity • Hoping users don't find the "secret" URLs
Cross-Site Scripting (XSS) ● One client posts active content, with <script> tags or other programming content ● When another client reads the messages, the scripts are executed in his or her browser ● One user attacks another user, using the vulnerable Web application as a weapon 49
● <script>alert("XSS vulnerability!")</script> ● <script>alert(document.cookie)</script> ● <script>window.location="http://www.ccsf.edu"</script> 50
XSS Scripting Effects ● Steal another user's authentication cookie ● Hijack session ● Harvest stored passwords from the target's browser ● Take over machine through browser vulnerability ● Redirect Webpage ● Many, many other evil things… 51
Application Vulnerabilities Countermeasures (continued) • WebGoat project • Helps security testers learn how to perform vulnerabilities testing on Web applications • Developed by OWASP • It’s excellent, and now has video tutorials
Assessing Web Applications • Issues to consider • Dynamic Web pages • Connection to a backend database server • User authentication • What platform was used?
Does the Web Application Use Dynamic Web Pages? • Static Web pages do not create a secure environment • IIS attack example: Directory Traversal • Adding .. to a URL refers to a directory above the Web page directory • Early versions of IIS filtered out , but not %c1%9c, which is a Unicode version of the same character • See link Ch 10 zh
Connection to a Backend Database Server • Security testers should check for the possibility of SQL injection being used to attack the system • SQL injection involves the attacker supplying SQL commands on a Web application field
SQL Injection Example HTML form collects name and pw SQL then uses those fields: SELECT * FROM customer WHERE username = 'name' AND password = 'pw' If a hacker enters a name of ' OR 1=1 -- The SQL becomes: SELECT * FROM customer WHERE username ='' OR 1=1 --' AND password = 'pw' Which is always true, and returns all the records
HackThisSite
Link Ch 10zr
Havij & SQLmap Link Ch 10zq
Connection to a Backend Database Server • Basic testing should look for • Whether you can enter text with punctuation marks • Whether you can enter a single quotation mark followed by any SQL keywords • Whether you can get any sort of database error when attempting to inject SQL
User Authentication • Many Web applications require another server to authenticate users • Examine how information is passed between the two servers • Encrypted channels • Verify that logon and password information is stored on secure places • Authentication servers introduce a second target
What Platform Was Used? • Popular platforms include: • IIS with ASP and SQL Server (Microsoft) • Linux, Apache, MySQL, and PHP (LAMP) • Footprinting is used to find out the platform • The more you know about a system the easier it is to gather information about its vulnerabilities
SQLI on Pastebin
Local File Inclusion
LFI Example
Tools of Web Attackers and Security Testers • Choose the right tools for the job • Attackers look for tools that enable them to attack the system • They choose their tools based on the vulnerabilities found on a target system or application
Web Tools • Firefox and Chrome Developer Tools • View parameters and cookies • Modify and resend requests • BurpSuite • Powerful proxy used for Web App hacking • Zed Attack Proxy • Can do simple vulnerability scans
cgiscan and WebGoat
Web Tools (continued)
Web Tools (continued) • Wfetch: GUI tool from Microsoft • Displays information that is not normally shown in a browser, such as HTTP headers • It also attempts authentication using • Multiple HTTP methods • Configuration of host name and TCP port • HTTP 1.0 and HTTP 1.1 support • Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types • Multiple connection types • Proxy support • Client-certificate support • See link Ch 10zl
W3af (in BackTrack)
Skipfish from Google

Recommended

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 

Recommended

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
afaque jaya
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
begmohsin
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
Hitesh Mohapatra
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
PraphullaShrestha1
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7XCh10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
phanleson
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 

What's hot (20)

Network security
Network security Network security
Network security
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Web security
Web securityWeb security
Web security
 
Web security
Web securityWeb security
Web security
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 

Similar to Ch 10: Hacking Web Servers

introduction to web application development
introduction to web application developmentintroduction to web application development
introduction to web application development
FLYMAN TECHNOLOGY LIMITED
 
DevNext - Web Programming Concepts Using Asp Net
DevNext - Web Programming Concepts Using Asp NetDevNext - Web Programming Concepts Using Asp Net
DevNext - Web Programming Concepts Using Asp Net
Adil Mughal
 
Introduction to asp
Introduction to aspIntroduction to asp
Introduction to asp
Madhuri Kavade
 

Similar to Ch 10: Hacking Web Servers (20)

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7XCh10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Introduction to ASP.NET
Introduction to ASP.NETIntroduction to ASP.NET
Introduction to ASP.NET
 
introduction to web application development
introduction to web application developmentintroduction to web application development
introduction to web application development
 
Font-End Development Tools
Font-End Development ToolsFont-End Development Tools
Font-End Development Tools
 
Webdevelopment
WebdevelopmentWebdevelopment
Webdevelopment
 
AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )
 
A comprehensive software infrastructure of .Net
A comprehensive software infrastructure of .Net A comprehensive software infrastructure of .Net
A comprehensive software infrastructure of .Net
 
Web Development Presentation
Web Development PresentationWeb Development Presentation
Web Development Presentation
 
DevNext - Web Programming Concepts Using Asp Net
DevNext - Web Programming Concepts Using Asp NetDevNext - Web Programming Concepts Using Asp Net
DevNext - Web Programming Concepts Using Asp Net
 
Introduction to asp
Introduction to aspIntroduction to asp
Introduction to asp
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
 
Workshop HTML5+PhoneGap by Ivano Malavolta
Workshop HTML5+PhoneGap by Ivano Malavolta Workshop HTML5+PhoneGap by Ivano Malavolta
Workshop HTML5+PhoneGap by Ivano Malavolta
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
 
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
 
Introaspnet
IntroaspnetIntroaspnet
Introaspnet
 
Aspintro
AspintroAspintro
Aspintro
 
Making Of PHP Based Web Application
Making Of PHP Based Web ApplicationMaking Of PHP Based Web Application
Making Of PHP Based Web Application
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Recently uploaded (20)

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Ch 10: Hacking Web Servers

  • 1. Hands-On Ethical Hacking and Network Defense
 3rd Edition Chapter 10 Hacking Web Servers Revised 1-11-17
  • 2. Objectives • Describe Web applications • Explain Web application vulnerabilities • Describe the tools used to attack Web servers
  • 3. Client’s Browser Internet Explorer or Firefox Web Server IIS or Apache HTTP HTTPS
  • 4. Web Servers • The two main Web servers are Apache (Open source) and IIS (Microsoft) ■ Link Ch 10c
  • 5. Understanding Web Applications • It is nearly impossible to write a program without bugs • Some bugs create security vulnerabilities • Web applications also have bugs • Web applications have a larger user base than standalone applications • Bugs are a bigger problem for Web applications
  • 6. Web Application Components • Static Web pages • Created using HTML • Dynamic Web pages • Need special components • <form> tags • Common Gateway Interface (CGI) scripts • Active Server Pages (ASP) • PHP • ColdFusion • Scripting languages like JavaScript • ODBC (Open Database connector)
  • 7. Web Forms • Use the <form> element or tag in an HTML document • Allows customer to submit information to the Web server • Web servers process information from a Web form by using a Web application • Easy way for attackers to intercept data that users submit to a Web server
  • 8. Web Forms (continued) • Web form example <html><body> <form> Enter your username: <input type="text" name="username"> <br> Enter your password: <input type="text" name="password"> </form></body></html>
  • 9.
  • 10. Client’s Browser HTML Forms JavaScript Web Server CGI Scripts HTTP HTTPS
  • 11. Common Gateway Interface (CGI) • Handles moving data from a Web server to a Web browser • The majority of dynamic Web pages are created with CGI and scripting languages • Describes how a Web server passes data to a Web browser • Relies on Perl or another scripting language to create dynamic Web pages
  • 12. CGI Languages • CGI programs can be written in different programming and scripting languages • C or C++ • Perl • Unix shell scripting • Visual Basic • FORTRAN
  • 13. Common Gateway Interface (CGI) (continued) • CGI example ■ Written in Perl ■ Hello.pl ■ Should be placed in the cgi-bin directory on the Web server #!/usr/bin/perl print "Content-type: text/htmlnn"; print "Hello Security Testers!";
  • 14. Another CGI Example • Link Ch 10a: Sam’s Feedback Form • Link Ch 10b alternate (at bottom of page): CGI Script in Perl that processes the data from the form
  • 15. Active Server Pages (ASP) • Microsoft’s server-side script engine • HTML pages are static—always the same • ASP creates HTML pages as needed. They are not static • ASP uses scripting languages such as JScript or VBScript • Not all Web servers support ASP • IIS supports ASP • Apache doesn’t support ASP as well
  • 16. Active Server Pages (ASP) • You can’t see the source of an ASP page from a browser • This makes it harder to hack into, although not impossible • ASP examples at links 
 Ch 10d, e, f
  • 17. Apache Web Server • Apache is the most popular Web Server program • Advantages • Stable and reliable • Works on just about any *NIX and Windows platform • It is free and open source • See links Ch 10g, 10h
  • 18. Using Scripting Languages • Dynamic Web pages can be developed using scripting languages • VBScript • JavaScript • PHP
  • 19. PHP: Hypertext Processor (PHP) • Enables Web developers to create dynamic Web pages • Similar to ASP • Open-source server-side scripting language • Can be embedded in an HTML Web page using PHP tags <?php and ?> • Users cannot see PHP code in their Web browser • Used primarily on UNIX systems • Also supported on Macintosh and Microsoft platforms
  • 20. PHP Example <html><head><title>Example</title></head> <body> <?php echo 'Hello, World!'; ?> </body></html> ■ See links Ch 10k, 10l • PHP has known vulnerabilities • See links Ch 10m, 10n • PHP is often used with MySQL Databases
  • 21. ColdFusion • Server-side scripting language used to develop dynamic Web pages • Created by the Allaire Corporation • Purchased by Macromedia, now owned by Adobe -- Expensive • Uses its own proprietary tags written in ColdFusion Markup Language (CFML) • CFML Web applications can contain other technologies, such as HTML or JavaScript
  • 24. VBScript • Visual Basic Script is a scripting language developed by Microsoft • You can insert VBScript commands into a static HTML page to make it dynamic • Provides the power of a full programming language • Executed by the client’s browser
  • 25. VBScript Example <html><body> <script type="text/vbscript"> document.write("<h1>Hello!</h1>") document.write("Date Activated: " & date()) </script> </body></html> • See link Ch 10r – works in IE, but not in Firefox • Firefox does not support VBScript (link Ch 10s)
  • 27. JavaScript • Popular scripting language • JavaScript also has the power of a programming language • Branching • Looping • Testing
  • 28. JavaScript Example <html><head> <script type="text/javascript"> function chastise_user(){ alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus( )} </script></head> <body><h3>Don't click the button!</h3> <form> <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> </form></body></html> ■ See link Ch 10v – works in IE and Firefox
  • 30.
  • 31. Client’s Browser HTTPorHTTPSWeb Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC or OLE DB Or ADO
  • 32. Connecting to Databases • Web pages can display information stored on databases • There are several technologies used to connect databases with Web applications • Technology depends on the OS used • ODBC • OLE DB • ADO • Theory is the same
  • 33. Open Database Connectivity (ODBC) • Standard database access method developed by the SQL Access Group • ODBC interface allows an application to access • Data stored in a database management system (DBMS) • Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commands • Interoperability among back-end DBMS is a key feature of the ODBC interface
  • 34. Open Database Connectivity (ODBC) (continued) • ODBC defines • Standardized representation of data types • A library of ODBC functions • Standard methods of connecting to and logging on to a DBMS
  • 35. OLE DB and ADO • Object Linking and Embedding Database (OLE DB) and • ActiveX Data Objects (ADO) • These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal Data Access“ • See link Ch 10x
  • 36. Understanding Web Application Vulnerabilities • Many platforms and programming languages can be used to design a Web site • Application security is as important as network security
  • 37. Attackers controlling a Web server can ■ Deface the Web site ■ Destroy or steal company’s data ■ Gain control of user accounts ■ Perform secondary attacks from the Web site ■ Gain root access to other applications or servers
  • 38. Open Web Application Security Project (OWASP) ■ Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applications ■ Publishes the Ten Most Critical Web Application Security Vulnerabilities
  • 39. Top-10 Web application vulnerabilities • Cross-site scripting (XSS) flaws • Attackers inject code into a web page, such as a forum or guestbook • When others user view the page, confidential information is stolen • See link Ch 10za • Command injection flaws • An attacker can embed malicious code and run a program on the database server • Example: SQL Injection
  • 40. Top-10 Web application vulnerabilities • Malicious file execution • Users allowed to upload or run malicious files • Unsecured Direct Object Reference • Information in the URL allows a user to reference files, directories, or records • Cross-site Request Forgery (CSRF) • Stealing an authenticated session, by replaying a cookie or other token
  • 41. Top-10 Web application vulnerabilities • Information Leakage and Incorrect Error Handling • Error messages that give away too much information • Broken Authentication and Session Management • Allow attackers to steal cookies or passwords
  • 42. Top-10 Web application vulnerabilities • Unsecured cryptographic Storage • Storing keys, certificates, and passwords on a Web server can be dangerous • Unsecured Communication • Using HTTP instead of HTTPS • Failure to Restrict URL Access • Security through obscurity • Hoping users don't find the "secret" URLs
  • 43. Cross-Site Scripting (XSS) ● One client posts active content, with <script> tags or other programming content ● When another client reads the messages, the scripts are executed in his or her browser ● One user attacks another user, using the vulnerable Web application as a weapon 49
  • 44. ● <script>alert("XSS vulnerability!")</script> ● <script>alert(document.cookie)</script> ● <script>window.location="http://www.ccsf.edu"</script> 50
  • 45. XSS Scripting Effects ● Steal another user's authentication cookie ● Hijack session ● Harvest stored passwords from the target's browser ● Take over machine through browser vulnerability ● Redirect Webpage ● Many, many other evil things… 51
  • 46. Application Vulnerabilities Countermeasures (continued) • WebGoat project • Helps security testers learn how to perform vulnerabilities testing on Web applications • Developed by OWASP • It’s excellent, and now has video tutorials
  • 47. Assessing Web Applications • Issues to consider • Dynamic Web pages • Connection to a backend database server • User authentication • What platform was used?
  • 48. Does the Web Application Use Dynamic Web Pages? • Static Web pages do not create a secure environment • IIS attack example: Directory Traversal • Adding .. to a URL refers to a directory above the Web page directory • Early versions of IIS filtered out , but not %c1%9c, which is a Unicode version of the same character • See link Ch 10 zh
  • 49. Connection to a Backend Database Server • Security testers should check for the possibility of SQL injection being used to attack the system • SQL injection involves the attacker supplying SQL commands on a Web application field
  • 50. SQL Injection Example HTML form collects name and pw SQL then uses those fields: SELECT * FROM customer WHERE username = 'name' AND password = 'pw' If a hacker enters a name of ' OR 1=1 -- The SQL becomes: SELECT * FROM customer WHERE username ='' OR 1=1 --' AND password = 'pw' Which is always true, and returns all the records
  • 54. Connection to a Backend Database Server • Basic testing should look for • Whether you can enter text with punctuation marks • Whether you can enter a single quotation mark followed by any SQL keywords • Whether you can get any sort of database error when attempting to inject SQL
  • 55. User Authentication • Many Web applications require another server to authenticate users • Examine how information is passed between the two servers • Encrypted channels • Verify that logon and password information is stored on secure places • Authentication servers introduce a second target
  • 56. What Platform Was Used? • Popular platforms include: • IIS with ASP and SQL Server (Microsoft) • Linux, Apache, MySQL, and PHP (LAMP) • Footprinting is used to find out the platform • The more you know about a system the easier it is to gather information about its vulnerabilities
  • 58.
  • 59.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69. Tools of Web Attackers and Security Testers • Choose the right tools for the job • Attackers look for tools that enable them to attack the system • They choose their tools based on the vulnerabilities found on a target system or application
  • 70. Web Tools • Firefox and Chrome Developer Tools • View parameters and cookies • Modify and resend requests • BurpSuite • Powerful proxy used for Web App hacking • Zed Attack Proxy • Can do simple vulnerability scans
  • 73. Web Tools (continued) • Wfetch: GUI tool from Microsoft • Displays information that is not normally shown in a browser, such as HTTP headers • It also attempts authentication using • Multiple HTTP methods • Configuration of host name and TCP port • HTTP 1.0 and HTTP 1.1 support • Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types • Multiple connection types • Proxy support • Client-certificate support • See link Ch 10zl
  • 74.