Upload
mali
View
14
Download
2
Embed Size (px)
DESCRIPTION
Web Site Hacking. Objectives. Describe Web applications Explain Web application vulnerabilities Describe the tools used to attack Web servers. Targets. Normally, a Web application is supported by a Web server that runs on a general-purpose or embedded OS. - PowerPoint PPT Presentation
Citation preview
ObjectivesDescribe Web applications
Explain Web application vulnerabilities
Describe the tools used to attack Web servers
TargetsNormally, a Web application is supported by a Web
server that runs on a general-purpose or embedded OS.
Each component (application, server, and OS) has its own set of vulnerabilities, but when these components are combined, there’s an increased risk of Web applications being compromised.
Can exploit a minor vulnerability in one function, such as a Web mail application, and use it as a stepping stone to launch additional attacks against the OS.
Web Application ComponentsStatic Web PagesDynamic Web Pages
CGI Common Gateway InterfaceActive Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connector strings, such as Open
Database Connector (ODBC).
Scripting LanguagesPHP Hypertext ProcessorColdFusionVBScriptJavaScript
PHP Hypertext Processor<html><head><title>My First PHP Program</title></head><body><?php echo '<h1>Hello, Security Testers!
</h1>'; ?></body></html>
ColdFusion<html><head><title>Using CFML</title></head><body><CFLOCATION URL="www.isecom.org"
ADDTOKEN="NO"></body></html>
VBScript<html><body><script type="text/vbscript">document.write ("<h1>Hello Security
Testers!</h1>")document.write ("Date Activated: " & date())</script></body></html>
JavaScript <html> <head> <script type="text/javascript"> function chastise_user() { alert("So, you like breaking rules?") document.getElementById("cmdButton").focus() } </script> </head> <body> <h3>"If you are a Security Tester, please do not click the command button
below!"</h3> <form> <input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" /> </form>
Connecting to DatabasesOpen Database Connectivity
Object Linking and Embedding Database
ActiveX Data Objects
Open Database Connectivity (ODBC) The ODBC interface allows an application to access
data stored in a database management system (DBMS).
Established Interoperability between back-end DBMSs and applicationsA standardized representation for data typesA library of ODBC function calls that allow an
application to connect to a DBMS, run SQL statements, and retrieve the results
A standard method of connecting to and logging on to a DBMS
Object Linking and Embedding Database (OLE DB)
A set of interfaces that enable applications to access data stored in a DBMS.
faster, more efficient, and more stable than its predecessor, ODBC.
OLE DB relies on connection strings that allow the application to access data stored on an external device.
Depending on the data source you’re connecting to, you might use a different provider.
For example, connecting to an SQL database requires using SQLOLEDB as the provider instead of Microsoft.Jet.
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Personnel.mdb; User ID=; Password=;
OLE DB provider Description in connection string
Microsoft Active Directory Service Provider=ADSDSOOBJECT
Advantage Provider=Advantage OLE DB Provider
AS/400 (from IBM) Provider=IBMDA400
AS/400 and VSAM (from Microsoft) Provider=SNAOLEDB
MS Commerce Server Provider=Commerce.DSO.1
DB2 Provider=DB2OLEDB
Microsoft Jet Provider=Microsoft.Jet.OLEDB.4.0
MS Exchange Provider=EXOLEDB.DataSource
MySQL Provider=MySQLProv
Oracle (from Microsoft) Provider=msdaora
Oracle (from Oracle) Provider=OraOLEDB.Oracle
MS SQL Server Provider=SQLOLEDB
ActiveX Data Objects (ADO) A programming interface for connecting a Web
application to a database. To access a database from an ASP Web page, you
follow these general steps:Create an ADO connection to the database you
want to access.Open the database connection you created in Step
1.Create an ADO recordset, which contains rows from
the table you’re accessing.Open the recordset.Select the data you need from the recordset, based
on particular criteria.Close the recordset and the database connection.
Cross-site scripting (XSS) A Web browser might carry out code sent
from a Web site. Attackers can use a Web application to run a script on the Web browser of the system they’re attacking.
XSS is one of the easiest types of attacks to perform, which also makes it one of the most common; attackers simply save the form to their local computers and change the form field values.
This type of attack is also one of the easiest to protect against by making sure that any “post” action is coming from your Web site.
index.php?name=guest<script>alert('attacked')</script>
Injection flaws Many Web applications pass parameters when
accessing an external system. A Web application that accesses a database
server needs to pass logon information to the database server.
An attacker can embed malicious code and run a program on the database server or send malicious code in an HTTP request.
Basically, the attacker is tricking the Web application into running malware or making unauthorized changes to data.
Malicious file execution Some Web applications allow users to
reference or upload files containing malware.
If these references or files aren’t checked before the Web application executes them, they can give attackers complete control of the system.
Unsecured direct object reference
This vulnerability occurs when information returned via the URL to a user’s Web browser contains information (references) about files, directories, or database records.
By simply changing the information in the URL, attackers can gain unauthorized access to information.
Information leakage and incorrect error handling If an error occurs during normal operations
and isn’t handled correctly, information sent to users might reveal information attackers can use.
For example, attackers can take advantage of error messages that reveal what was executed on the stack or indicate what Web software is used.
Unsecured cryptographic storage Storing keys, certificates, and passwords on a
Web server can be dangerous. If an attacker can gain access to these mechanisms, the server is vulnerable to attack. To decrease the chances of a compromise, don’t store confidential data, such as customers’ credit card numbers, on your Web server. Instead, require that confidential data be entered each time users visit the Web site.
Unsecured communication Connections between the Web browser and
the Web application should be encrypted to protect information as it travels across the Internet. Web applications need to encrypt not only the session to the Web browser, but also sessions to any other servers, such as back-end databases. This vulnerability occurs when sessions are left unencrypted.
Failure to restrict URL access This vulnerability occurs when developers
don’t use adequate access controls for URLs. Instead, they rely on a “security through obscurity” model, which depends on users simply not being aware of the location of critical files and directories.
Canonicalization (dot-dot-slash) AttacksIIS didn’t correctly parse the URL information
users entered, which allowed attackers to launch a Unicode exploit.
For example, if a user entered the /../.. sequence of characters in a URL, IIS indicated an error.
To bypass this check in IIS, attackers substituted the Unicode equivalent of ../: ..%255c.
http://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c
Sql InjectionsSELECT * FROM customer WHERE tblusername = 'bob'
AND tblpassword = 'password'
' OR 1=1 –
SELECT * FROM customer WHERE tblusername = '' OR 1=1 -- ' AND tblpassword = '‘
Because 1=1 is always true, the query is carried out successfully. Double hyphens (--) are used in SQL to indicate a comment.
' OR "=“ for both
SELECT * FROM customer WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="
Cgiscan: A CGI Scanning ToolA tool for searching Web sites for CGI scripts
that can be exploited.
Cgiscan, a C program that must be compiled, is included here as an example of a security tool written in C.
Tests for new CGI vulnerabilities can be included by adding code and then recompiling.
WapitiIt inspects a Web site by searching from the
outside for ways to take advantage of XSS, SQL, PHP, JSP, and file-handling vulnerabilities.
Can detect common forms that allow uploads or command injection, it uses what’s called “fuzzing”—trying to inject data into whatever will accept it. In this way, even new vulnerabilities can be discovered.
WfetchA GUI tool that can be downloaded free from
Microsoft and is included in the IIS Resource Kit.