Transcript Networking in Linux - University of Baltimore Home Page web services

Web hacking and the
Internet user
Web hacking

Basics







Web pilfering: download selectively web sites and search files
off-line.
Automated scripts: developed by advanced hackers for use by
“script kiddies.” See SecurityInnovation for vulnerability
scanners.
IIS security: see Microsoft Web Application Security guide to
setup the IIS and identify threats and create countermeasures.
CGI: programming CGI with security in mind by W3org, a
compilation and an index for CGI security resources, SSI and
CGI security,
ASP vulnerabilities: HTML and programming in the same
directory, dot bug, samples (showcode and codebrws). See
Microsoft ASP Security.
Web vulnerability scanners are available for UNIX/Linux: Nikto
and Whisker.
Buffer Overflows: (i) PHP security, (ii) do not use the
wwwcount.cgi, and (iii) IIS iishack vulnerability (use MSBA to find
Hacking the Internet user:
Malicious mobile code

Microsoft ActiveX (Active X controls have the file extension.ocx)





similar to OLE let an object be embedded in a page using the <object>
tag
When IE finds a page with a control, it checks the Registry to find out
if the control is available, if it is IE displays the page and runs the
control
If it is not, IE uses Authenticode to check the author (Verisign role)
and download the control. Finally IE displays the page and runs the
control
“Safe for Scripting”: Authenticode is not used with these controls,
malicious Web sites may explore as a vulnerability. Easy to mark as
such. Countermeasures:
 apply patches for Scriptlet/Eyedog and OUA (Office 2000 UA).
 Set macro protection to High in Tool/Macro menu in Office.
 restrict or disable ActiveX, using security zones
Using security zones: IE has five predefined zones: Internet, Local
Intranet, Trusted Sites, Restricted Sites, and My Computer.
 Internet zone: disable ActiveX controls, enable per-session
Hacking the Internet user:
Malicious mobile code



Java basic security: (a) strong typing enforced at compile and execution
time, (b) built in JVM bytecode verifier controls memory space (buffer
overflows are difficult to happen), (c) no memory pointers (making
difficult to insert commands in running code), (d) security manager
(control access to computer resources), and (e) code signing similar to
Authenticode. Recommendations: update and use security zones.
JavaScript: most frequently used client-side scripting. MS executes
JavaScript using Active Scripting. Again use security zones to restrict the
use of JavaScript.
Beware of the “cookie monster”: cookies can be per session or
persistent.

Settings in Firefox and Internet Explorer .(IE 7 )

Cookie sniffing: capturing cookies using packet sniffing tools
(SpyNet/PeepNet).

Countermeasures: Cookie cutters, Firefox and IE cookie controls.

IE HTML frame vulnerabilities. The IE's cross-domain security model (a
domain is a security boundary - any open windows within the same domain can
interact with each other, but windows from different domains cannot).

IFRAME ExecCommand: iframe is a IE tag to create a floating frame
Hacking the Internet user:
E-mail hacking





basics: (i)create a text file using the correct MIME syntax, (ii) use
netcat to send the message to an open relay SMTP server, (iii)
check the results. Using mpack we can include an attachment . If
mail server requires authentication this hack fails, therefore you
should use Sam Spade to check server first.
disable Java, JavaScript and ActiveX in Mail, e.g. Thunderbird.
executing code through e-mail: block all emails that have
attachments with the extensions .scr,.pif, zip,
Outlook Express: “book worms:” Melissa, ILOVEYOU (see book),
Nimda, CodeRed, etc, access OE address book and mail
themselves to all entries. More recent versions use as subject and
content parts of messages sent or received. Use Microsoft patch.
Countermeasure: OE 2003 and above: Tools, Options, Read, Read
All messages as Plain Text.
File attachment attacks: scrap files (.shs and .shb), Long file names
in attachments should be blocked by anti-virus, or server filtering.
Save As in Excel/PowerPoint, and be aware of OE use of the TEMP
Hacking the Internet user: other

SSL : overview, use the 128-bit encryption (most countries now).
Potential fraud: bypassing the certificate validation. Click on lock
to see certificate.

IRC hacking: not only message exchange, but also file
exchange. Users connect to a reflector (BNC, IRC Bouncer or proxy
server), making the tracing of IRC users fruitless (a plus for
hackers), all you get is the BNC IP.



DCC Send and Get connect directly two IRC users and allow file
exchange, what makes easy to an user or worm infected user to
distribute malicious code.
Countermeasure: if you need to use IRC, run anti-virus on the
directory you selected as default for DCC downloads , and read more
about IRC security.
Napster hacking: as a distributed file-sharing network, it has
the potential to distribute Trojans, viruses, disguised as MP3 audio
files. Napster checks headers and frames to see if the files are MP3
files, but Wrapster disguise files as MP3. Similar services may also
be vulnerable.