Ch 11 - Web Hacking

Link to PDF of powerpoint presentation http://dl.dropbox.com/u/68566/WebHacking.pdf

Early Days

• In the early days of web hacking the web server was often the main target.
• Now days vulnerabilities in server software are widely publicized and easy to detect and attack and protect.
• Fewer and fewer vulnerabilities are showing up because…
  • Vendors and open-source are learning from past mistakes
  • Sys. Admins are learning how to better configure
  • Vendors and open-source are responding faster to patches

  • Proactive countermeasures are fast becoming standard (Watchfire’s AppSheild, Microsoft’s URLScan, etc.)

  • Automated vulnerability-scanning products that can quickly check common problems

Current Vulnerabilities

• Web server vulnerabilities tend to fall into one of the following categories:
  • Sample files
  • Source code disclosure
  • Canonicalization
  • Server extensions
  • Input validation (ex. Buffer overflows)

Sample Files

• With more and more features in web software, developers are adding in more sample code and scripts to show what can be done.
• If left in place the sample files can become an easy target for hackers.
• Ex. IIS4 had two sample files that let hackers remote access and reveal the contents of just about every other file on the server.

Source Code Disclosure

• Allow a malicious user to view the source code of application files on a vulnerable web server that is intended to remain confidential.
• Can combine this with other attacks to gain access to protected areas such as /etc/passwd, etc.
• Good practice to assume your web files will be seen, and should never store sensitive data in any source code.

Canonicalization Attacks

• Computer and network resources can often be addressed using more than one way.
• Ex. C:\text.txt ; ..\\text.txt ; \\computer\C$\text.txt
• Apps that make security decisions based on the resource name can be vulnerable to these attacks, and easily fooled.
• Make sure to keep web platforms up to date with all patches.
• Compartmentalize your directory structure.
• Constrain input using platform-layer solutions (MS’s URLScan) to strip unicode or double-hex-encoded characters before reaching the server.

Server Extensions

• Web servers by themselves are minimal in functionality, extensions add a lot to the web experience
• With web extensions also come trouble
• MS’s indexing extension, IPP, IIS5, WebDAV, SSL, etc all are extensions and all have had their fair share of security holes
• Make sure you patch or disable the vulnerable extension. In general make sure you only run extensions that are needed and nothing more

Buffer Overflows

• Buffer overflow attack symbolizes the coup de grace of hacking
• Often result in the ability to execute arbitrary commands on the victim machine, with very high privilege levels
• Easiest way to counter buffer overflow vulnerabilities is to apply a software patch

Web Server Vulnerability Scanners

• Tools that automate the process of parsing web servers for a bunch of vulnerabilities that come from the hacking community
• Allows you to focus on patching the holes that are found when the automated process is done, make sure to patch them fast because a hacker can find them easily too
• Ex. Nikto, and Nessus

Web Application Hacking

• Web app hacking refers to hacking the app itself and not the web server
• Requires more patience and sophistication then hacking off the shelf web server software

Finding vulnerable apps with Google

• Search engines are dangerous because users are careless
• Makes finding candidate machines almost effortless
• Find list of publicly accessible pages

  • Site:southern.edu; inurl:southern.edu

• Find unprotected directories
  • Index of /admin” /password, /mail, password.txt
• Find password hint applications that are poorly setup
  • Password hint, password hint –email, show password hint –email, filetype:htaccess user

Web Crawling

• A serious attacker takes the time to become familiar with the application
• Download entire contents of site, look for low hanging fruit
  • Local path info, back-end server names, IP address, SQL query strings with passwords, info comments, etc
• Tools
  • wget to get entire websites which can then be used to study later in great detail

Web Application Assessment

• Once target app content has been crawled and analyzed attacker will then turn to more in-depth probing
• Ultimate goal of this is to thoroughly understand the architecture and design of the application and identify any weaknesses
• Focus on authentication, session management, database interaction, generic input validation, and application logic

Browser Plug-ins

• Browser plug-ins allow you to view the requests as they are made and stop, and modify them on their way
• Very valuable in finding hidden form fields, modifying query arguments and request headers, and inspecting the response from the remote server

• TamperData is a plug-in for Firefox coupled with no-script can selectively run and edit JavaScript

Tool Suites

• Web proxies that are in between the web client and server
• Basically a man-in-the-middle during an http session
• Fiddler can be used with any WinINET library software, IE, Outlook, Office, etc
• Fiddler can adjust files on the way
  • Ex. bpu .css

Common Web Application Vulnerabilities

• The main categories are
  • Cross-Site Scripting (XSS)
  • Injection Flaws
  • Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

• Arise from input/output validation deficiencies in web applications
• Attacks other users of the page
  • Ex. Attacker puts code in guestbook online, people who view guestbook has the attackers code executed, potentially giving attacker control of second users’ system

• Counter with filter input parameters for special characters. Ex. < > ( ) # & “

SQL Injection

• Adjusting the SQL to point it at a file you wish to view
• Is a problem because by default a web browser is a “trusted” user.
• Counter measures
  • Perform strict input validation on any input from the client
  • Replace direct SQL statements with stored procedures, prepared statements
  • Implement defaut error handling
  • Lock down ODBC
  • Lock down database server configuration

Cross-Site Request Forgery

• Known about for nearly a decade, but just now becoming a serious problem
• Allows for users to stay logged in without having to authenticate after each page load
• Can cause problems for the users, passwords changed, funds transferred, merchandise purchased, and more.
• Attacker puts image tag in a real page that a user is already logged in to and when the browser requests the link instead of an image it is a url string that can change the password for example.

  • &<img src=http://example.com/update_account.asp?new_password=evil>

• Conutermeasures
  • Tying the incoming request to the auth. session. Use random values, tied to the specified user’s session. If it doesn’t match have them re authenticate their connection.

Misuse of Hidden Tags

• Allows attackers to adjust hidden fields before being sent to the server for processing
• Business should not have price of item set as a hidden form
• Would be very easy to adjust the price
• Countermeasures
  • Limit the use of hidden tags, or at least confirm the value before processing

Quiz

• List 2 of the 5 common web server vulnerabilities. • Name one of the two browser plugins/toolsets to preform a man-in-the-middle attack. • What is a common tool used to gather entire websites? • What is the easiest method to find vulnerable web applications?

What is Enumeration?

• Probing identified open services as found in last chapter.
• Enumeration is different from information gathering because of an increased level of intrusiveness.
• Involves active connections with target, and will and should be logged/noticed.
• Tends to be platform-specific, and depends greatly on the information found by port-scanning.
• Often times port-scanning and enumeration tools are bundled together.

Basic Banner Grabbing

• Banner grabbing is connecting to remote applications and observing what the host sends back.
• Ex. telnet www.example.com 80 or nc –v www.example.com 80
• See what information is returned in the header/banner
• Main information you can get back is server software and version

Enumerating Common Network Services

• Some of the highest risk services that you should be aware of and block are
  • NetBIOS Session, TCP 139/445
  • Finger, TCP 79
  • SNMP, UDP 161
  • UNIX RPC, TCP/UDP 111 and 32771
• Some other notable risky services
  • Enumerating Microsoft RPC Endpoint Mapper, TCP 135

  • Novell NetWare Enum., TCP 524 and IPX

NetBIOS Session

• Null NetBIOS Session is the holy grail of enumeration
• Network file sharing and printing uses SMB, and SMB passes rich system information to anyone.
• Once connected hacker has open channel to try out other techniques over, can be used to find…
  • Network information, shares, users, groups, registry keys, etc.
• Stop by attacks by restricting user access to port 139/445 and could also disable SMB on individual NT hosts

Finger

• One of the oldest tricks in the book for enumerating users.
• In the beginning Finger was a simple useful program to give out user information.
• Works only on hosts that have Finger running, and port 79 open.
• Simple to fix, have no excuse to leave open and running.

SNMP

• Designed to provide intimate information about network devices, software, and systems.
  • Makes it a frequent target for hackers
• Data protected by a simple password auth. System known as community string
  • Most devices default to string of public
• Makes it very easy to get in and identify devices

UNIX RPC

• Applications use to talk over the network
• The most popular way of doing so
• Can tell the attackers what types of services and file systems are running
• Only way to limit this connecting is create an authentication system for RPC access, or use a system that uses encrypted keys for access.

Enumerating MS RPC Endpoint Mapper

• Some Microsoft systems have this endpoint or portmapper service running
• Attackers can use to query the service to find out about other applications and services available on the target machine.
• Best to restrict access to port 135
  • Can cause problems for exchange servers when remote users try and connect
  • Best to use a VPN to let remote users in

Novell NetWare Enum.

• Microsoft not alone with null session holes

• Hole in NetWare is even worse because it allows anyone to discover servers, trees, groups, printers, and usernames without even logging in to a server

• Block access to port 524 and add a inheritance rights filter (IRF) to the root of the tree to keep users from viewing

Summary

• Windows family SMB - make it easy to find user credentials, file system exports, and application info.
  • Often thought of as the holy grail to hackers.
• SNMP – If improperly configured to use public community string can give out lots of information anyone.
• Leaking OS – Finger gives away too much information and is often times enabled by default.
• Limit RPC access to authenticated users or use encryption.

Quiz and Answers

1. What is the “holy grail” to hackers?

2. What is the main information you can get from a banner grab?

3. Name the two things you need to do to secure the Finger leak?

4. What service if set to use a standard community string will return lots of information to any one?

5. What two ways can you use to stop access to RPC?

Here are the examples Dr. A gave in class

(some of these are Linux, others are Windows)

NetCat

nc -v www.scotnpatti.com 80
    HEAD / HTTP/1.0 (press enter)
       (press enter)

FTP

www.scotnpatti.com   (bad)
www.cs.southern.edu  (good)

SMTP

telnet email.scotnpatti.com
    vrfy root
    vrfy scot
    vrfy jane

DNS

dig @peter.cs.andrews.edu southern.edu axfr 
//works here, but may not work elsewhere

BindVersion

dig @ns1.someuniversitythatdoesen'texist.edu version.bind txt chaos

Back to Cptr427Winter2010