Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange information between an originating client, or user agent, and a destination server. HTTP defined by RFC 2616: http://www.ietf.org/rfc/rfc2616.txt Four Client to Server Data Exchange Steps 1. DNS name resolution 2. HTTP web server waits for a GET request 3. Web server response with a status message (HTTP/1.1 200 Ok) and a message containing additional information such as HTML text for the requested Web page. 4. Client browser processes the HTML tags and presents the Web page on the client screen Typically, uses HTTP but could also use SSL or TLS. Unsecured HTTP traditionally operates on TCP port 80 while SSL uses 443... Kerberos uses port 88 and Squid uses 8080 Web applications Typically utilize CGI or ASP Can connect to a data base. Hacking methodologies can include: Info gathering by scanning with Nmap, SuperScan, Amap or similar tools. Banner grabbing to gather server type and version information. Most widely used web servers Apache (Most popular ) IIS Sun Java Application Server Web Server Security Issues Attractive targets Hackers seek to exploit server vulnerabilities and compromise websites. Older IIS versions subject to Code Red and ISAPI attacks
ISAPI and DLL Internet Server Application Programming interface (ISAPI) provides application developers with a tool to extend a web server s functionality. Two type of ISAPI programs: 1. ISAPI filters 2. ISAPI extensions. ISAPI filters called from a URL have the ability to alter information entering and leaving IIS. Examples of applications of ISAPI filters are: authentication and data compression. ISAPI extensions can also be called directly from a URL. An ISAPI extension is a dynamic link library (DLL) file that provides special functions called and loaded into memory only once, regardless of the number of clients making use of the functions. One commonly used extension is the dynamic link library a set of programs called to perform specific functions such as printing or content indexing. The program in the DLL is called from an executable program, and the executable passes parameters to the DLL program as needed. If the parameters are not passed properly, or if a call to the DLL is not made correctly, a General Protection Fault (GPF) will occur, or the computer will freeze. Three basic IIS Attack Types 1. Buffer overflow 2. File system traversal 3. Source disclosure Buffer overflow examples IPP Printer Overflow that exploits mws3ptr.dll ISAPI DLL exploits IIS Indexing service DLL ida.dll and Data Query idg.dll WebDAV/nt.dll IISHack.exe where the IIS http daemon buffer is made to overflow and malicious code can then be executed. File System Traversal By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server sometimes called, a dot dot slash attack Can be filtered but filtering must include Unicode and percent encoding
Source Disclosure Threat Where IIS is manipulated to reveal the source code of a server side application. IIS is vulnerable to file related requests involving the $DATA attribute resulting in the revelation of the contents of the file. HTR is a first generation HTML like advance scripting technology that was never widely adopted. ASP displaced HTR Apache Threats Apache chunked encoding vulnerability Where a flaw in the Apache software misreads the size of the chunks to be received, resulting in a stack overflow and the possibility of executing malicious code. Mod_proxy buffer overflow Can lead to a buffer overflow in the web server, enabling the execution of malicious code that can cause a denial of service in the server. Long URLs Can result in server showing directory contents PHP filtering Can allow a hacker to run malicious code on the web server URL trailing slashes Many trailing slashes in a URL can expose a listing of the original directory Hacking Tools IISxploit.exe performs automated directory traversal attacks on IIS. CleanIISLog provides a means for an attacker to cover tracks by clearing entries of his IP addresses in IIS log files. RPC DCOM Remote procedure call distributed component object model creates a stack based buffer overflow attack because of improper handling of TCP/IP messages Overflow manifests in RPC DCOM interface at ports 135 or 139. Cmdasp.asp an interactive command prompt to an ASP Web page on IIS servers. USR_Computer and IWAMPComputer user accounts represent a vulnerability in that they will execute scripts and provide a back door to the IIS server can also send a shell back to the hacker s PC by uploading nc.exe to the IIS web server Iiscrack.dll similar to cmd.asp provides a path for a hacker to send commands that run on the web server with System privileges. Ispc.exe is a client that copies the Trojan ISAPI.DLL to a web server and sets up a remote shell with System privileges.
WebInspect a vulnerability scanner that categorizes over 1,500 Web pages and can perform over 30,000 security checks Microsoft Windows NT 4.0/2000 Unspecified Executable Path Vulnerability enables automatic execution of Trojans when DLL files and executables are not preceded by a registry patch. Execiis-win32.exe a directory traversal attack that uses cmd to execute commands on an IIS web server. Patch management Patch management is the process of organizing and directing the distribution and installation of provisional software revisions to resources on the network. Hotfix refers to adding a patch during normal operation of the computer system. Includes enterprise patch management policy which includes specifying and enforcing standard platform configurations. Typical and popular examples of software tools that can support or automate the patching process include: UpdateExpert A Windows security management utility Qfecheck A Microsoft command line tool that allows network administrators t track and verify installed Windows 2000 and windows XP hotfixes HFNetChk A Microsoft software engine available through the command line interface of the Microsoft Baseline Security Analyzer (MBSA) Provides the system administrator with the ability to check the patch status of all the machines in a network from a central location by access an XML database that is kept current by Microsoft. Cacls.exe An interactive, command line utility for Windows NT/2000/XP used for managing and storing access control lists (ACLs). Web Application Vulnerabilities Common Web application threats include: Cross Site Scripting (XSS) Remote code execution Username enumeration SQL injection Cookie/Session poisoning Command injection Parameter/form tampering Directory traversal Attack obfuscation DMZ protocol Zero-day.
Cross Site Scripting (XSS) In XSS, an attacker sends a specific request to a website that causes the website to send malicious Web or email code to another user. Effectively, an attacker uses the website as an intermediary for transferring malicious code to another victim. One example of malicious action is for the attack code to copy cookies from the victim s computer and relay them to the attacker. Remote code execution Provides the means for a hacker to execute his or her system level code on a target web server. With this an attacker can compromise the web server and access files with the same rights as the server system software. Username enumeration Manipulates the backend authentication script to inform a an attacker whether a submitted user name is valid. Iterations exploiting this vulnerability can aid the attacker in determining the correct user name through interpretation of error messages. SQL Injection Enables a hacker to acquire sensitive information stored in the database or to execute remote code. One version of the attack occurs when the user input stream contains a string literal escape characters and these characters are not properly screened. Cookie/Session poisoning Process reverse engineers vulnerable cookies in order to impersonate a valid user or to gain control of a user s session. Command injection Attack injects system commands into computer program variables such that they are executed on the web server. Attack Obfuscation The practice of obscuring or making something difficult to analyze or understand Can prevent reverse engineering Zero-day An attack that exploits vulnerability before it is generally known to the public and usually before patches for the vulnerability have been announced and distributed. Buffer Overflow An input validation attack that is usually the result of weak or nonexistent parameter checking in the processing software. Form/Hidden field manipulation An altering of the data in a hidden field in order for an application to use attack related data.
Related Tools Netcat Can be used to categorize the web server (banner grabbing) and proceed with an attack to escalate privileges and provide access to files in all portions of the web server. Netcat can be used to read and write information non TCP and UDP networks. Nikto An open source web server scanner that scans for malicious files and CCIs on a variety of servers. Wikto A web scanning tool similar to Nikto but with added features. Probes for web server vulnerabilities such as vulnerable scripts and directories that might be subject to compromise. Nessus A freely available, rule-based remote vulnerability scanner that uses script based plug ings. Metasploit framework Open source program that supports penetration testing of a variety of operating systems.