Web Site Hacking

Download Report

Transcript Web Site Hacking

Objectives
 Describe Web applications
 Explain Web application vulnerabilities
 Describe the tools used to attack Web servers
Targets
 Normally, a Web application is supported by a Web server
that runs on a general-purpose or embedded OS.
 Each component (application, server, and OS) has its own
set of vulnerabilities, but when these components are
combined, there’s an increased risk of Web applications
being compromised.
 Can exploit a minor vulnerability in one function, such as a
Web mail application, and use it as a stepping stone to
launch additional attacks against the OS.
Web Application Components
 Static Web Pages
 Dynamic Web Pages
 CGI Common Gateway Interface
 Active Server Pages (ASP),
 PHP,
 ColdFusion,
 JavaScript,
 and database connector strings, such as Open Database
Connector (ODBC).
Scripting Languages
 PHP Hypertext Processor
 ColdFusion
 VBScript
 JavaScript
PHP Hypertext Processor
 <html>
 <head>
 <title>My First PHP Program</title>
 </head>
 <body>
 <?php echo '<h1>Hello, Security Testers!</h1>'; ?>
 </body>
 </html>
ColdFusion
 <html>
 <head>
 <title>Using CFML</title>
 </head>
 <body>
 <CFLOCATION URL="www.isecom.org"
ADDTOKEN="NO">
 </body>
 </html>
VBScript
 <html>
 <body>
 <script type="text/vbscript">
 document.write ("<h1>Hello Security Testers!</h1>")
 document.write ("Date Activated: " & date())
 </script>
 </body>
 </html>
JavaScript















<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementById("cmdButton").focus()
}
</script>
</head>
<body>
<h3>"If you are a Security Tester, please do not click the command button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" />
</form>
Connecting to Databases
 Open Database Connectivity
 Object Linking and Embedding Database
 ActiveX Data Objects
Open Database Connectivity
(ODBC)
 The ODBC interface allows an application to access data
stored in a database management system (DBMS).
 Established Interoperability between back-end DBMSs and
applications
 A standardized representation for data types
 A library of ODBC function calls that allow an application to
connect to a DBMS, run SQL statements, and retrieve the
results
 A standard method of connecting to and logging on to a
DBMS
Object Linking and Embedding
Database (OLE DB)
 A set of interfaces that enable applications to access data
stored in a DBMS.
 faster, more efficient, and more stable than its predecessor,
ODBC.
 OLE DB relies on connection strings that allow the
application to access data stored on an external device.
 Depending on the data source you’re connecting to, you
might use a different provider.
 For example, connecting to an SQL database requires using
SQLOLEDB as the provider instead of Microsoft.Jet.
 Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Personnel.mdb; User ID=; Password=;
OLE DB provider
Description in connection string
Microsoft Active Directory Service
Provider=ADSDSOOBJECT
Advantage
Provider=Advantage OLE DB Provider
AS/400 (from IBM)
Provider=IBMDA400
AS/400 and VSAM (from Microsoft)
Provider=SNAOLEDB
MS Commerce Server
Provider=Commerce.DSO.1
DB2
Provider=DB2OLEDB
Microsoft Jet
Provider=Microsoft.Jet.OLEDB.4.0
MS Exchange
Provider=EXOLEDB.DataSource
MySQL
Provider=MySQLProv
Oracle (from Microsoft)
Provider=msdaora
Oracle (from Oracle)
Provider=OraOLEDB.Oracle
MS SQL Server
Provider=SQLOLEDB
ActiveX Data Objects (ADO)
 A programming interface for connecting a Web application
to a database.
 To access a database from an ASP Web page, you follow
these general steps:
 Create an ADO connection to the database you want to





access.
Open the database connection you created in Step 1.
Create an ADO recordset, which contains rows from the table
you’re accessing.
Open the recordset.
Select the data you need from the recordset, based on
particular criteria.
Close the recordset and the database connection.
Cross-site scripting (XSS)
 A Web browser might carry out code sent from a Web
site. Attackers can use a Web application to run a
script on the Web browser of the system they’re
attacking.
 XSS is one of the easiest types of attacks to perform,
which also makes it one of the most common;
attackers simply save the form to their local computers
and change the form field values.
 This type of attack is also one of the easiest to protect
against by making sure that any “post” action is
coming from your Web site.
 index.php?name=guest<script>alert('attacked')</script>
Injection flaws
 Many Web applications pass parameters when
accessing an external system.
 A Web application that accesses a database server
needs to pass logon information to the database server.
 An attacker can embed malicious code and run a
program on the database server or send malicious code
in an HTTP request.
 Basically, the attacker is tricking the Web application
into running malware or making unauthorized
changes to data.
Malicious file execution
 Some Web applications allow users to reference or
upload files containing malware.
 If these references or files aren’t checked before the
Web application executes them, they can give
attackers complete control of the system.
Unsecured direct object reference
 This vulnerability occurs when information returned
via the URL to a user’s Web browser contains
information (references) about files, directories, or
database records.
 By simply changing the information in the URL,
attackers can gain unauthorized access to information.
Information leakage and incorrect
error handling
 If an error occurs during normal operations and isn’t
handled correctly, information sent to users might
reveal information attackers can use.
 For example, attackers can take advantage of error
messages that reveal what was executed on the stack or
indicate what Web software is used.
Unsecured cryptographic storage
 Storing keys, certificates, and passwords on a Web
server can be dangerous. If an attacker can gain access
to these mechanisms, the server is vulnerable to
attack. To decrease the chances of a compromise, don’t
store confidential data, such as customers’ credit card
numbers, on your Web server. Instead, require that
confidential data be entered each time users visit the
Web site.
Unsecured communication
 Connections between the Web browser and the Web
application should be encrypted to protect
information as it travels across the Internet. Web
applications need to encrypt not only the session to
the Web browser, but also sessions to any other
servers, such as back-end databases. This vulnerability
occurs when sessions are left unencrypted.
Failure to restrict URL access
 This vulnerability occurs when developers don’t use
adequate access controls for URLs. Instead, they rely
on a “security through obscurity” model, which
depends on users simply not being aware of the
location of critical files and directories.
Canonicalization (dot-dot-slash) Attacks
 IIS didn’t correctly parse the URL information users
entered, which allowed attackers to launch a Unicode
exploit.
 For example, if a user entered the /../.. sequence of
characters in a URL, IIS indicated an error.
 To bypass this check in IIS, attackers substituted the
Unicode equivalent of ../: ..%255c.

http://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c
Sql Injections
 SELECT * FROM customer WHERE tblusername = 'bob' AND
tblpassword = 'password'
 ' OR 1=1 –
 SELECT * FROM customer WHERE tblusername = '' OR 1=1 -- ' AND
tblpassword = '‘
 Because 1=1 is always true, the query is carried out successfully. Double
hyphens (--) are used in SQL to indicate a comment.
 ' OR "=“ for both
 SELECT * FROM customer WHERE tblusername = ' OR "=" AND
tblpassword = ' OR "="
Cgiscan: A CGI Scanning Tool
 A tool for searching Web sites for CGI scripts that can
be exploited.
 Cgiscan, a C program that must be compiled, is
included here as an example of a security tool written
in C.
 Tests for new CGI vulnerabilities can be included by
adding code and then recompiling.
Wapiti
 It inspects a Web site by searching from the outside for
ways to take advantage of XSS, SQL, PHP, JSP, and filehandling vulnerabilities.
 Can detect common forms that allow uploads or
command injection, it uses what’s called “fuzzing”—
trying to inject data into whatever will accept it. In this
way, even new vulnerabilities can be discovered.
Wfetch
 A GUI tool that can be downloaded free from
Microsoft and is included in the IIS Resource Kit.