Web Security

1. Web Security

2. Category The methodology of web hacking

3. Automated vulnerability scanning software

4. Common vulnerability by platform : Apache

5. SQL Injection

6. Attack web service

7. Hacking web application management

8. The methodology of web hacking Profile the infrastructure

9. Attack web server

10. Survey the application

11. Attack the authentication mechanism

12. Attack the authorization schemes

13. Perform a functional analysis

14. Exploit the data connectivity

15. Attack the management interfaces

16. Attack the client

17. Launch a denial-of-service attack

18. Profile the infrastructure Is there special client necessary to connect to the application ?

19. What transports does it use ?

20. Over which ports ?

21. How many servers are there ?

22. Is there a load balancer ?

23. What is the make and model of the Web server

24. Are external sites relied on for some functionality ?

25. Attack Web Server Attacking about vulnerabilities of the web server (Apache, IIS, etc...) over port 80.

26. The sheer number of Web server software vulnerabilities that have been published makes this one of the first and usually most fruitful areas of research for a Web hacker.

27. Survey the Application Surveying a Web application attempts to discern what application technology are deployed.

28. Attack the Authentication Mechanism Hack authentication include automated password guessing attack.

29. Spoofing token within a cookie

30. Attack the Authorization Schemes About changing the user principle (altering form or cookie values)

31. Requesting hidden objects with guessable names

32. attacks, escalating privileges, and tunneling privileged commands to the SQL server

33. Perform a Functional Analysis Attempt about function analysis each application, component (input, tracking)

34. Attempted fault injection is central to software security testing

35. referred to as input validation attacks

36. Exploit the Data Connectivity most devastating attacks on Web applications actually relate to the back-end database

37. Web developers tend to focus on the most efficient way to make this connection,rather than the most secure.

38. Attack the Management Interfaces examine some of the most common management platforms and vulnerabilities associated with Web application management.

39. Attack the Client Web application security holes, with an emphasis on server-side flaws. But what about the client side?

40. since there have been some devastating attacks against the Web user community over the years, including cross-site scripting.

41. Launch a Denial-of-Service Attack If attacker hasn’t gotten in at this point in the methodology, the last refuge of a defeated mind is denial of service (DoS)

42. t is typically carried out by issuing a flood of traffic to a site, drowning out legitimate requests

43. AUTOMATED VULNERABILITY SCANNING SOFTWARE

44. Server Discovery Internet Footprinting footprinting as the process of creating a complete profile of a target’s information technology infrastructure, Is primarily carried out using the “whois”. “whois” are including Assigned Internet IP address ranges

45. Registered DNS domain names and related data

46. Administrative contact for an Internet presence

47. #whois -h whois.crsnic.net mthai

48. #whois -h whois.crsnic.net mthai.com

49. DNS Interrogation Defined domain name over DNS zone transfer used “nslookup” command to explain about how many of server, IP address each server.

50. Ping The most basic approach to server discovery is to send ICMP Echo Requests (typically implemented via the ping utility) to potentially valid hostnames or IP addresses

51. Discovery Using Port Scanning A port scan attempts to connect to a specific set of TCP and/or UDP ports and determine if a service exists there.

52. TCP scanport call “TCP SYN scans”

53. Obviously, Web Server are used few service port to acting Web.

55. Dealing with Virtual Servers One issue that can skew the outcome of server discovery is load balancing and virtual servers.

56. Service Discovery Identify what port are running HTTP call serice discovery.

57. D:gt; fscan -qp 80,81,88,443, 8888,9090,10000 192.168.234.1-254 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 15 15:13:33 2002 192.168.234.1 80/tcp 192.168.234.34 80/tcp 192.168.234.34 443/tcp 192.168.234.34 8000/tcp 192.168.234.148 80/tcp 192.168.234.148 443/tcp 192.168.234.148 8000/tcp Scan finished at Fri Feb 15 15:14:19 2002 Time taken: 4826 ports in 45.705 secs (105.59 ports/sec)

58. Server Identification The server will identify the called banner grabbing is specified using the server's HTTP respond header reading are analyzed by analysis of the server to each feld.

59. Dealing with SSL Netcat and Fscan Tool can't connect to SSL. Hacker use a tool to connect to ssl is call sslproxy to connect with a specific instead localport a 5000 port to connect to server port 443.

60. dummycert.pem a certificate to be used in connection with ssl.

62. COMMON VULNERABILITIES BY PLATFORM : Apache

63. Apache Apache has a well-earned reputation for security and performance. But Apache 1.3 is the pseudo gap with add-on components, called "modules".

64. Long Slash Directory Listing Long URLs passing through the mod_negotiate, mod_dir, and mod_autoindex modules

65. The concept is simple

66. but requires a few trial runs to perfect against a server.AURL with a large number of trailing slashes

67. Note that most Apache servers cannot handle at all aURLlonger than about 8,000 characters.

68. Long Slash Countermeasures The error is fixed in Apache 1.3.19; however, the problem can also be addressed with a more thorough Apache configuration.

69. The mod_dir and mod_autoindex modules are included in default builds of the server. Solution ./configure --disable-module=dir --disable-module=autoindex

70. Multiview Directory Listing Apache will resist just about any attempt to obtain directory listings without explicit permission from the server administrator.

71. But, The attack can be performed directly on the URL with a browser or from the command line using netcat

73. Multiview Countermeasures The first defense is a clean document root. No unnecessary files should be present in any directory.

74. Unnecessary files include password files, developer notes, old data, backup versions of the site, and any file that will never be touched by a browser or required by the application.

75. Directory listing vulnerabilities are only threatening when sensitive data can be discovered. Multiview is enabled in the Options directive between <Directory> tags. It is not enabled by default.

76. mod_rewrite File Access Released a fix for a vulnerability that would allow a user to access any file on the Web server, even those outside the document root.

77. Unfortunately, it is not easy to identify when a server is using mod_rewrite, or if the configuration is vulnerable.

78. A vulnerable server has a RewriteRule that maps a URL to a local page that is referenced by it's complete pathname.

79. mod_rewrite File Access

80. A vulnerable rule :

81. RewriteRule /more-icons/(.*) /home/httpd/icons/$1

82. A rule that is not vulnerable :

83. RewriteRule /more-icons/(.*) /icons/$1

84. Mod_rewrite Countermeasures As you may have already guessed from the previous discussion, specify RewriteRules that use generic pathnames.

85. mod_auth_*sql Injection Mighty tick mark (‘) can be inserted into requests. This allows a user to create arbitrary SQL commands, the simplest of which spoof the site’s authentication mod_auth_*sql Countermeasures Upgrade the mod_auth_*sql package that you are using. It is necessary to stop and restart the Apache Web server after updating these packages

86. SQL INJECTION

87. SQL Injection The exploits available to the SQL injection technique vary from innocuous error-generating characters to full command-line execution.

88. No particular database vendor is more secure than another against these exploits.

89. SQL server is just more equal than others!

90. SQL Injection problems: the single quote (’), also known as the tick.

91. A common SQL structure uses the tick to delimit variables within the query strSQL = "select userid from users where password = '" + password + "'";

92. A Walk in the ODBC Woods

93. A Walk in the ODBC Woods If the tick generates a VBScript error or no error at all, move on to the next parameter.

94. The unclosed quotation mark indicates a vulnerable query. Plus, the error contains “@UserID=182”, which provides us with a field name and the specific UserID we have been assigned.

95. A Walk in the ODBC Woods Let’s see what the comment (--) generates.

96. That the data are being passed to a stored procedure named getAdminHome1.

97. A Walk in the ODBC Woods if our original UserID was 182 and UserID 180 is an admin, thenwemight be tempted to rewrite the UserID parameter.

98. SQL injection has been relegated to a minor input validation error.

99. A Walk in the ODBC Woods What happens if we throw a space (+) into the mix?

100. Generate an ODBC error once more, but the @UserID variable has not been declared. This drives home the point of how difficult it is to break a stored procedure.

101. The SiteID variable is placed into the SiteID portion of the SQL statement.

102. A Walk in the ODBC Woods What if we hadn’t bothered to include the SQL comment the first time around?

103. can change our UserID. Unfortunately, there are now two UserID parameters in the function call.

104. A Walk in the ODBC Woods As another point of academic interest, consider a different method of submitting multiple parameters:

105. ASP receives the SiteID argument as “SiteID=12, 12”. The stored procedure sees this as: @name = 12, 12

106. Common Countermeasures Robust Error Handling Never pass raw ODBC or other errors to the user. Use generic error pages and error handlers

107. the best way to accomplish this is through the “try, catch, finally” method of exception handling.

108. Common Countermeasures Parameter Lists Place user-supplied data into specific variables.

109. String concatenation is the bane of a secure SQL statement because it provides the easiest way for a user to manipulate the statement with tick marks.

110. Input validation should be performed on the Web server and items in the database should be strongly typed.

111. A field that only uses numeric values should be a type INT, not a VARCHAR.

112. Common Countermeasures Stored Procedures They require a specific number of parameters in specific places in a specific format.

113. Improved performance is often a byproduct of stored procedures.

114. Common Countermeasures Running with Least Privilege The database application should run in a least-privilege situation.

115. Also, the user account that the Web server uses should have limited functionality.

116. Doesn’t have to write to the Master database or perform backup duties

117. Common Countermeasures Protecting the Schema Table names, column names, and SQL structures should not appear in the HTML comment tags.

118. ATTACKING WEB SERVICE

119. What is a Web Service Web Services (WS) is an application program or working in one style service.

120. It will be run applications from other applications (php, asp, java, python) through web pages.

121. Service of a document that describes WS features of Corporate Services.

122. And offered the public aware WS users can search without having to know physical address of an application or program.

123. Web Services is a new generation of services in the web industry. Users simply pull services On the Web. Language is the core of the Web development XML.

124. SOAP

125. SOAP (Simple Object Access Protocol) protocol to run Component to run across a cross-platform, cross language (asp.net, c #, php, perl, java, python, delphi). this protocol works with HTTP protocol and message format to communicate with language XML.

127. WSDL WSDL (Web Service Description Language) language that describe the features of Web Services and how to interact with Web Services in a language that supervision of W3C (World Wide Web Consortium) most popular use XML. The <types> and <message> elements define the format of the messages that can be passed

128. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).

129. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.

130. WSDL . The <types> and <message> elements define the format of the messages that can be passed

131. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).

132. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.

133. The <service> element defines the endpoint for the service (a URL).

134. UDDI UDDI (Universal Description, Discovery and Integration) is a collection of Web Services in Internet The same source so users can search easily. If the comparison easy. Yellow pages to look like we used to view phone number.

135. DISCO Discovery of Web Services (DISCO) is a Microsoft proprietary technology available within their .NET Server operating system and other .NET-related products.

136. To publish a deployed Web service using DISCO, you simply need to create a .disco file and place it in the Web service’s virtual root directory (vroot) along with the other service-related files (such as .asmx, .wsdl, .xsd, and other file types).

137. The .disco document is an XML document that contains links to other resources that describe the Web service, much like a WSDL file containing the interface contract.

138. SAMPLE WEB SERVICES HACKS DISCO and WSDL Disclosure Microsoft Web services (.asmx files) may cough up DISCO and/or WSDL information simply by appending special arguments to the service request. http://www.victim.com/service.asmx DISCO or WSDL information can be displayed by appending ?disco or ?wsdl to this URL as shown below: http://www.victim.com/service.asmx?disco or http://www.victim.com/service.asmx?wdsl

140. DISCO and WSDL Disclosure Countermeasures The only way to ensure that DISCO or WSDL information doesn’t end up in the hands of intruders is to avoid creating the relevant .wsdl, .discomap, .disco, and .xsd files for the service.

141. BASICS OF WEB SERVICE SECURITY Web Services Security Measures Authentication Using standard HTTP authentication technic, such as Basic, Digest, Windows Integrated, and SSL client-side certificates. XML Security XML Signature A specification for describing digital signatures using XML, providing authentication, message integrity, and nonrepudiation for XML documents.

142. XML Encryption A companion to XML Signature, it addresses the encryption and decryption of XML documents and portions of those documents.

143. BASICS OF WEB SERVICE SECURITY Web Services Security Measures XML Security XML Key Management Specification (XKMS) Defines messages and protocols for registering and distributing public keys, permitting secure key distribution to unknown transaction partners.

144. Security Assertion Markup Language (SAML) Format for sharing authentication and authorization information.

145. Extensible Access Control Markup Language (XACML) An XML format forinformation access policies. SSL SSL be used in conjunction with Web services to protect against no-brainer eavesdropping and tampering attacks.

146. Hacking Web Application Management

147. WEB SERVER ADMINISTRATION Telnet. Telnet is still currently running, but because a Telnet connection to a clean text. Then, Telnet is allowing the eavesdropping easier. SSH Secure Shell (SSH) has been the mainstay of secure remote management for years (more secure than Telnet, at least).

148. SSH1 also vulnerable to attack makes it easy. You should use SSH2 to which the security is higher.

149. WEB SERVER ADMINISTRATION Proprietary Management Ports Set the port for the web server to manage the vendors are usually set to We can use these ports to make a handle.

151. WEB CONTENT MANAGEMENT FTP DON’T RUN FTP ON YOUR WEB SERVERS! There’s just too much risk that someone will guess an account password or find an exploit that will give them the ability to write to the filesystem, and then it’s only a short hop to Web defacement (or worse)

152. The only exception we’d make to this rule is if access to the FTP service is restricted to a certain small range of IP addresses.

153. WEB CONTENT MANAGEMENT SSH/scp Secure Shell version 2 (SSH2) is a recommended protocol for remote Web server management (given that it is properly maintained).

154. There is a utility called Secure Copy (scp) that is available to connect to SSH services and perform file transfers right over (authenticated and encrypted) SSH tunnels.

155. WebDEV The following list shows some of the more offensive WebDAV methods: MKCOL ”Make Collection,” for creating a collection of resources on the Web server.

156. POST Used to post files to collections (this is a standard HTTP method that will likely see different use with WebDAV).

157. DELETE Need we say what effect this might have?

158. PUT Another standard HTTP method that is leveraged by WebDAV to upload content.

159. MOVE If unable to deface a Web server, hackers may just move the content around.

160. COPY Yes, it has an overwrite feature.

161. Question ?

Web Security

Related slideshows

More Related Content

Web Security