= Ch 11 - Web Hacking = Link to PDF of powerpoint presentation http://dl.dropbox.com/u/68566/WebHacking.pdf === Early Days === * In the early days of web hacking the web server was often the main target. * Now days vulnerabilities in server software are widely publicized and easy to detect and attack and protect. * Fewer and fewer vulnerabilities are showing up because… * Vendors and open-source are learning from past mistakes * Sys. Admins are learning how to better configure * Vendors and open-source are responding faster to patches * Proactive countermeasures are fast becoming standard (Watchfire’s !AppSheild, Microsoft’s URLScan, etc.) === Current Vulnerabilities === * Web server vulnerabilities tend to fall into one of the following categories: * Sample files * Source code disclosure * Canonicalization * Server extensions * Input validation (ex. Buffer overflows) === Sample Files === * With more and more features in web software, developers are adding in more sample code and scripts to show what can be done. * If left in place the sample files can become an easy target for hackers. * Ex. IIS4 had two sample files that let hackers remote access and reveal the contents of just about every other file on the server. === Source Code Disclosure === * Allow a malicious user to view the source code of application files on a vulnerable web server that is intended to remain confidential. * Can combine this with other attacks to gain access to protected areas such as /etc/passwd, etc. * Good practice to assume your web files will be seen, and should never store sensitive data in any source code. === Canonicalization Attacks === * Computer and network resources can often be addressed using more than one way. * Ex. C:\text.txt ; ..\\text.txt ; \\computer\C$\text.txt * Apps that make security decisions based on the resource name can be vulnerable to these attacks, and easily fooled. * Make sure to keep web platforms up to date with all patches. * Compartmentalize your directory structure. * Constrain input using platform-layer solutions (MS’s URLScan) to strip unicode or double-hex-encoded characters before reaching the server. === Server Extensions === * Web servers by themselves are minimal in functionality, extensions add a lot to the web experience * With web extensions also come trouble * MS’s indexing extension, IPP, IIS5, WebDAV, SSL, etc all are extensions and all have had their fair share of security holes * Make sure you patch or disable the vulnerable extension. In general make sure you only run extensions that are needed and nothing more === Buffer Overflows === * Buffer overflow attack symbolizes the coup de grace of hacking * Often result in the ability to execute arbitrary commands on the victim machine, with very high privilege levels * Easiest way to counter buffer overflow vulnerabilities is to apply a software patch === Web Server Vulnerability Scanners === * Tools that automate the process of parsing web servers for a bunch of vulnerabilities that come from the hacking community * Allows you to focus on patching the holes that are found when the automated process is done, make sure to patch them fast because a hacker can find them easily too * Ex. Nikto, and Nessus === Web Application Hacking === * Web app hacking refers to hacking the app itself and not the web server * Requires more patience and sophistication then hacking off the shelf web server software === Finding vulnerable apps with Google === * Search engines are dangerous because users are careless * Makes finding candidate machines almost effortless * Find list of publicly accessible pages * Site:southern.edu; inurl:southern.edu * Find unprotected directories * Index of /admin” /password, /mail, password.txt * Find password hint applications that are poorly setup * Password hint, password hint –email, show password hint –email, filetype:htaccess user === Web Crawling === * A serious attacker takes the time to become familiar with the application * Download entire contents of site, look for low hanging fruit * Local path info, back-end server names, IP address, SQL query strings with passwords, info comments, etc * Tools * wget to get entire websites which can then be used to study later in great detail === Web Application Assessment === * Once target app content has been crawled and analyzed attacker will then turn to more in-depth probing * Ultimate goal of this is to thoroughly understand the architecture and design of the application and identify any weaknesses * Focus on authentication, session management, database interaction, generic input validation, and application logic === Browser Plug-ins === * Browser plug-ins allow you to view the requests as they are made and stop, and modify them on their way * Very valuable in finding hidden form fields, modifying query arguments and request headers, and inspecting the response from the remote server * !TamperData is a plug-in for Firefox coupled with no-script can selectively run and edit !JavaScript === Tool Suites === * Web proxies that are in between the web client and server * Basically a man-in-the-middle during an http session * Fiddler can be used with any WinINET library software, IE, Outlook, Office, etc * Fiddler can adjust files on the way * Ex. bpu .css === Common Web Application Vulnerabilities === * The main categories are * Cross-Site Scripting (XSS) * Injection Flaws * Cross-Site Request Forgery (CSRF) === Cross-Site Scripting (XSS) === * Arise from input/output validation deficiencies in web applications * Attacks other users of the page * Ex. Attacker puts code in guestbook online, people who view guestbook has the attackers code executed, potentially giving attacker control of second users’ system * Counter with filter input parameters for special characters. Ex. < > ( ) # & “ === SQL Injection === * Adjusting the SQL to point it at a file you wish to view * Is a problem because by default a web browser is a “trusted” user. * Counter measures * Perform strict input validation on any input from the client * Replace direct SQL statements with stored procedures, prepared statements * Implement defaut error handling * Lock down ODBC * Lock down database server configuration === Cross-Site Request Forgery === * Known about for nearly a decade, but just now becoming a serious problem * Allows for users to stay logged in without having to authenticate after each page load * Can cause problems for the users, passwords changed, funds transferred, merchandise purchased, and more. * Attacker puts image tag in a real page that a user is already logged in to and when the browser requests the link instead of an image it is a url string that can change the password for example. *<img src=http://example.com/update_account.asp?new_password=evil> * Conutermeasures * Tying the incoming request to the auth. session. Use random values, tied to the specified user’s session. If it doesn’t match have them re authenticate their connection. === Misuse of Hidden Tags === * Allows attackers to adjust hidden fields before being sent to the server for processing * Business should not have price of item set as a hidden form * Would be very easy to adjust the price * Countermeasures * Limit the use of hidden tags, or at least confirm the value before processing == Quiz == 1. List 2 of the 5 common web server vulnerabilities. ||<#32cd32>Sample files, Source code disclosure, Canonicalization, Server extensions, Input validation(ex. Buffer overflow) || 2. Name one of the two browser plugins/toolsets to preform a man-in-the-middle attack. ||<#32cd32>!TamperData or Fiddler || 3. What is a common tool used to gather entire websites? ||<#32cd32>wget || 4. What is the easiest method to find vulnerable web applications? ||<#32cd32>Using search engines ||