Web Security
- 25. Attack Web Server Attacking about vulnerabilities of the web server (Apache, IIS, etc...) over port 80.
- 26. The sheer number of Web server software vulnerabilities that have been published makes this one of the first and usually most fruitful areas of research for a Web hacker.
- 27. Survey the Application Surveying a Web application attempts to discern what application technology are deployed.
- 33. Perform a Functional Analysis Attempt about function analysis each application, component (input, tracking)
- 36. Exploit the Data Connectivity most devastating attacks on Web applications actually relate to the back-end database
- 37. Web developers tend to focus on the most efficient way to make this connection,rather than the most secure.
- 38. Attack the Management Interfaces examine some of the most common management platforms and vulnerabilities associated with Web application management.
- 39. Attack the Client Web application security holes, with an emphasis on server-side flaws. But what about the client side?
- 40. since there have been some devastating attacks against the Web user community over the years, including cross-site scripting.
- 41. Launch a Denial-of-Service Attack If attacker hasn’t gotten in at this point in the methodology, the last refuge of a defeated mind is denial of service (DoS)
- 42. t is typically carried out by issuing a flood of traffic to a site, drowning out legitimate requests
- 44. Server Discovery Internet Footprinting footprinting as the process of creating a complete profile of a target’s information technology infrastructure, Is primarily carried out using the “whois”. “whois” are including Assigned Internet IP address ranges
- 49. DNS Interrogation Defined domain name over DNS zone transfer used “nslookup” command to explain about how many of server, IP address each server.
- 50. Ping The most basic approach to server discovery is to send ICMP Echo Requests (typically implemented via the ping utility) to potentially valid hostnames or IP addresses
- 51. Discovery Using Port Scanning A port scan attempts to connect to a specific set of TCP and/or UDP ports and determine if a service exists there.
- 55. Dealing with Virtual Servers One issue that can skew the outcome of server discovery is load balancing and virtual servers.
- 57. D:gt; fscan -qp 80,81,88,443, 8888,9090,10000 192.168.234.1-254 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 15 15:13:33 2002 192.168.234.1 80/tcp 192.168.234.34 80/tcp 192.168.234.34 443/tcp 192.168.234.34 8000/tcp 192.168.234.148 80/tcp 192.168.234.148 443/tcp 192.168.234.148 8000/tcp Scan finished at Fri Feb 15 15:14:19 2002 Time taken: 4826 ports in 45.705 secs (105.59 ports/sec)
- 58. Server Identification The server will identify the called banner grabbing is specified using the server's HTTP respond header reading are analyzed by analysis of the server to each feld.
- 59. Dealing with SSL Netcat and Fscan Tool can't connect to SSL. Hacker use a tool to connect to ssl is call sslproxy to connect with a specific instead localport a 5000 port to connect to server port 443.
- 63. Apache Apache has a well-earned reputation for security and performance. But Apache 1.3 is the pseudo gap with add-on components, called "modules".
- 64. Long Slash Directory Listing Long URLs passing through the mod_negotiate, mod_dir, and mod_autoindex modules
- 66. but requires a few trial runs to perfect against a server.AURL with a large number of trailing slashes
- 67. Note that most Apache servers cannot handle at all aURLlonger than about 8,000 characters.
- 68. Long Slash Countermeasures The error is fixed in Apache 1.3.19; however, the problem can also be addressed with a more thorough Apache configuration.
- 69. The mod_dir and mod_autoindex modules are included in default builds of the server. Solution ./configure --disable-module=dir --disable-module=autoindex
- 70. Multiview Directory Listing Apache will resist just about any attempt to obtain directory listings without explicit permission from the server administrator.
- 71. But, The attack can be performed directly on the URL with a browser or from the command line using netcat
- 74. Unnecessary files include password files, developer notes, old data, backup versions of the site, and any file that will never be touched by a browser or required by the application.
- 75. Directory listing vulnerabilities are only threatening when sensitive data can be discovered. Multiview is enabled in the Options directive between <Directory> tags. It is not enabled by default.
- 76. mod_rewrite File Access Released a fix for a vulnerability that would allow a user to access any file on the Web server, even those outside the document root.
- 77. Unfortunately, it is not easy to identify when a server is using mod_rewrite, or if the configuration is vulnerable.
- 78. A vulnerable server has a RewriteRule that maps a URL to a local page that is referenced by it's complete pathname.
- 85. mod_auth_*sql Injection Mighty tick mark (‘) can be inserted into requests. This allows a user to create arbitrary SQL commands, the simplest of which spoof the site’s authentication mod_auth_*sql Countermeasures Upgrade the mod_auth_*sql package that you are using. It is necessary to stop and restart the Apache Web server after updating these packages
- 87. SQL Injection The exploits available to the SQL injection technique vary from innocuous error-generating characters to full command-line execution.
- 91. A common SQL structure uses the tick to delimit variables within the query strSQL = "select userid from users where password = '" + password + "'";
- 93. A Walk in the ODBC Woods If the tick generates a VBScript error or no error at all, move on to the next parameter.
- 94. The unclosed quotation mark indicates a vulnerable query. Plus, the error contains “@UserID=182”, which provides us with a field name and the specific UserID we have been assigned.
- 95. A Walk in the ODBC Woods Let’s see what the comment (--) generates.
- 96. That the data are being passed to a stored procedure named getAdminHome1.
- 97. A Walk in the ODBC Woods if our original UserID was 182 and UserID 180 is an admin, thenwemight be tempted to rewrite the UserID parameter.
- 99. A Walk in the ODBC Woods What happens if we throw a space (+) into the mix?
- 100. Generate an ODBC error once more, but the @UserID variable has not been declared. This drives home the point of how difficult it is to break a stored procedure.
- 102. A Walk in the ODBC Woods What if we hadn’t bothered to include the SQL comment the first time around?
- 103. can change our UserID. Unfortunately, there are now two UserID parameters in the function call.
- 104. A Walk in the ODBC Woods As another point of academic interest, consider a different method of submitting multiple parameters:
- 105. ASP receives the SiteID argument as “SiteID=12, 12”. The stored procedure sees this as: @name = 12, 12
- 107. the best way to accomplish this is through the “try, catch, finally” method of exception handling.
- 109. String concatenation is the bane of a secure SQL statement because it provides the easiest way for a user to manipulate the statement with tick marks.
- 111. A field that only uses numeric values should be a type INT, not a VARCHAR.
- 115. Also, the user account that the Web server uses should have limited functionality.
- 119. What is a Web Service Web Services (WS) is an application program or working in one style service.
- 120. It will be run applications from other applications (php, asp, java, python) through web pages.
- 121. Service of a document that describes WS features of Corporate Services.
- 122. And offered the public aware WS users can search without having to know physical address of an application or program.
- 123. Web Services is a new generation of services in the web industry. Users simply pull services On the Web. Language is the core of the Web development XML.
- 125. SOAP (Simple Object Access Protocol) protocol to run Component to run across a cross-platform, cross language (asp.net, c #, php, perl, java, python, delphi). this protocol works with HTTP protocol and message format to communicate with language XML.
- 127. WSDL WSDL (Web Service Description Language) language that describe the features of Web Services and how to interact with Web Services in a language that supervision of W3C (World Wide Web Consortium) most popular use XML. The <types> and <message> elements define the format of the messages that can be passed
- 128. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).
- 129. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.
- 130. WSDL . The <types> and <message> elements define the format of the messages that can be passed
- 131. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).
- 132. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.
- 134. UDDI UDDI (Universal Description, Discovery and Integration) is a collection of Web Services in Internet The same source so users can search easily. If the comparison easy. Yellow pages to look like we used to view phone number.
- 135. DISCO Discovery of Web Services (DISCO) is a Microsoft proprietary technology available within their .NET Server operating system and other .NET-related products.
- 136. To publish a deployed Web service using DISCO, you simply need to create a .disco file and place it in the Web service’s virtual root directory (vroot) along with the other service-related files (such as .asmx, .wsdl, .xsd, and other file types).
- 137. The .disco document is an XML document that contains links to other resources that describe the Web service, much like a WSDL file containing the interface contract.
- 138. SAMPLE WEB SERVICES HACKS DISCO and WSDL Disclosure Microsoft Web services (.asmx files) may cough up DISCO and/or WSDL information simply by appending special arguments to the service request. http://www.victim.com/service.asmx DISCO or WSDL information can be displayed by appending ?disco or ?wsdl to this URL as shown below: http://www.victim.com/service.asmx?disco or http://www.victim.com/service.asmx?wdsl
- 140. DISCO and WSDL Disclosure Countermeasures The only way to ensure that DISCO or WSDL information doesn’t end up in the hands of intruders is to avoid creating the relevant .wsdl, .discomap, .disco, and .xsd files for the service.
- 141. BASICS OF WEB SERVICE SECURITY Web Services Security Measures Authentication Using standard HTTP authentication technic, such as Basic, Digest, Windows Integrated, and SSL client-side certificates. XML Security XML Signature A specification for describing digital signatures using XML, providing authentication, message integrity, and nonrepudiation for XML documents.
- 142. XML Encryption A companion to XML Signature, it addresses the encryption and decryption of XML documents and portions of those documents.
- 143. BASICS OF WEB SERVICE SECURITY Web Services Security Measures XML Security XML Key Management Specification (XKMS) Defines messages and protocols for registering and distributing public keys, permitting secure key distribution to unknown transaction partners.
- 145. Extensible Access Control Markup Language (XACML) An XML format forinformation access policies. SSL SSL be used in conjunction with Web services to protect against no-brainer eavesdropping and tampering attacks.
- 147. WEB SERVER ADMINISTRATION Telnet. Telnet is still currently running, but because a Telnet connection to a clean text. Then, Telnet is allowing the eavesdropping easier. SSH Secure Shell (SSH) has been the mainstay of secure remote management for years (more secure than Telnet, at least).
- 148. SSH1 also vulnerable to attack makes it easy. You should use SSH2 to which the security is higher.
- 149. WEB SERVER ADMINISTRATION Proprietary Management Ports Set the port for the web server to manage the vendors are usually set to We can use these ports to make a handle.
- 151. WEB CONTENT MANAGEMENT FTP DON’T RUN FTP ON YOUR WEB SERVERS! There’s just too much risk that someone will guess an account password or find an exploit that will give them the ability to write to the filesystem, and then it’s only a short hop to Web defacement (or worse)
- 152. The only exception we’d make to this rule is if access to the FTP service is restricted to a certain small range of IP addresses.
- 153. WEB CONTENT MANAGEMENT SSH/scp Secure Shell version 2 (SSH2) is a recommended protocol for remote Web server management (given that it is properly maintained).
- 154. There is a utility called Secure Copy (scp) that is available to connect to SSH services and perform file transfers right over (authenticated and encrypted) SSH tunnels.
- 155. WebDEV The following list shows some of the more offensive WebDAV methods: MKCOL ”Make Collection,” for creating a collection of resources on the Web server.
- 156. POST Used to post files to collections (this is a standard HTTP method that will likely see different use with WebDAV).
- 159. MOVE If unable to deface a Web server, hackers may just move the content around.