itec441- is security chapter 11 – web server security
TRANSCRIPT
ITEC441- IS SecurityChapter 11 – Web Server Security
2
How WEB Servers Work• WEB servers use Hyper Text Transfer Protocol
(HTTP) and Hyper Text Transfer Protocol Secure (HTTPS) to allow web-based clients to connect them.– To view– To download the files
• HTTP is an application layer protocol in TSP/IP stack.
• Hyper Text Markup Language (HTML) is the language used to create web pages.
• HTML pages are rendered by web browser software on web clients.
3
How WEB Servers Work• HTTP components
4
How WEB Servers Work1. The WEB client initially opens a connection to the
web server IP using TCP port 80.
2. The WEB server waits for a GET request from the client requesting the home page of the web server.
3. The web server responds with the HTML code for the web server homepage.
4. The client process the HTML code and the web client’s browser software renders the page on the client device.
5
How to Hack/Protect a WEB Servers
1. Understand how the web server work.
2. Know the vulnerabilities of a web server.
3. Learn the type of attacks to the web servers
4. Know the patch-management techniques
5. Know how to harden the web servers
6
Types of WEB Server Vulnerabilities1. Misconfiguration of the WEB server software
• Default permissions and settings may leave the site open to attack (i.e.. “everyone” group privileges should be shorten ).
2. Operation System or Application Bugs, or Flaws in Programming Code• OS, WEB Server Application should be patched, updated
regularly• OS security patches, hot fixes and updates should be applied to
the system automatically or manually.
3. Vulnerable Default Installation• Do not leave your system with its default settings.• Close un-needed services and ports
7
Types of WEB Server Vulnerabilities• Hackers exploit these vulnerabilities to gain access
to the web server.• WEB servers are usually located in a Demilitarized
Zone (DMZ).• DMZ is a publicly accessible area between
two packet filtering devices (firewalls) and can be accessed easily by the organization’s client systems.
• An exploit of a web server offers a hacker easier access to internal system or database.
8
The Term: exploit• An exploit is ,
– a piece of software, – a chunk of data, or – sequence of commands
• It that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
• This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack.
9
Gathering the Page Content• In many cases it is it is useful to gather all or
a portion of the files that make up a website.– Use ‘View Source” from the context menu, then
download one-by-one the content.– Use “Black Widow” like automated software tools
to analyze the structure of a web page, and then select and gather all or a portion of a site.
10
Attacking a WEB Server• Web servers typically listen on TCP port 80
(http) and TCP port 443 (https).• These ports have to be open and available
to web clients.• Any firewall or packet filtering device
between the web client and web server passes traffic destined for those ports.
• WEB application software also may allow access to additional ports.
11
Attacking a WEB Server• Banner Grabbing
– It is an information gathering step targetting web servers.
– It is attempting to gather information about a web server as:• OS• Web server Software (ISS, Apache,...) &
version
12
Attacking a WEB Server• Banner Grabbing
– Steps:• At the command prompt
telnet <IPAddress> 80• Next, in the telnet window type
HEAD/HTTP/1.0Then press Enter.
• The web server banner will then be returned. Server: Microsoft-ISS/5.0Date: Tue. 6 Dec 2011 13:41:42 GMT+2Content-Length:340Content-type: text/html
13
Attacking a WEB Server• Banner Grabbing
– The banner grabbing usually gives you the web server type and version.
– This information is important because exploits against this web server type and version can be identified.
– Next step after banner grapping would be to• Attack the web server• Attack the web application
– To gain access to data on the server.
14
Attacking a WEB Server• Defacement
– It is a visible type attack against a web server.– Hackers defice website for sheer joyand
enhance their reputations – Not for gathering any usefull data– Hackers exploits a vulnerability in the OS or
WEB server software and then alters the web site files to show that the site has been hacked.
15
Attacking a WEB Server• Defacement
– Often the hacker displays his/her hacker name on the website’s homepage.
• Common website attacks for defacement– Capturing administrator credential through man-
in-midddle attacks– Revealing an administrator password through a
brut-force attack– Using a DNS attack to redirect users to a
different web server
16
Attacking a WEB Server• Common website attacks for defacement
(continues)
– Compromising an FTP or email server.– Exploiting web application bugs that result in a
vulnerability– Misconfiguring web shares– Taking advantage of weak permissions– Rerouting a client after a firewall or router attack– Using SQL injection attacks (if the SQL server
and web server are the same system)
17
Attacking a WEB Server• Common website attacks for defacement
(continues)
– Using telnet or Secure Shell (SSH) intrusion– Carrying out URL poisoning, which redirects the user to a
different URL.– Using web server extension or remote service intrusion– Intercepting the communication between the client and the
server and changing the cookie to make the server believe that there is a user with higher privileges (applies to cookie-enabled security)
18
Hacking Internet Information Server (IIS)
• Windows IIS is one of the most popular web server software product.
• Three most common attacks against IIS:– Directory traversal– Source disclosure– Buffer overflow
19
Hacking Internet Information Server (IIS)
• Directory traversal attack (DTA)– The web clients are limited to specific directories
within the windows file system.– Only the initial directory (root) and sub-
directories of the root is allowed to be accessed for the web clients.
– However, a directory-traversal attack permits access to other directories within the file system.
20
Hacking Internet Information Server (IIS)
• Directory traversal attack (DTA)– The unpatched Windows 2000 with IIS has a
vulnerability for DTA, also known as Unicode exploit.
– This exploit affects CGI scripts and Internet Server Application Interface (ISAPI) extensions sch as .asp
– The reason is: IIS parser was not properly interpreting Unicode, thus giving hackers system-level access.
21
Hacking Internet Information Server (IIS)
• Directory traversal attack (DTA)– The Unicode converts characters of any
language to a universal hex code specification.– However, the Unicode is inerpreted twice, and
the parser only scans the resulting request once.– Hackers could therefore sneak file requests
through IIS.– Example: Utilizing %c0% af instead of a slash in
a relative pathname exploits the IIS vulnerability.
22
Hacking Internet Information Server (IIS)
• Directory traversal attack (DTA)– This exploit lets the hacker gain access to files
normally forbidden to him/her.– Worse, this exploit allow hacker to add, change,
or delete files, or upload and run code on the server (a Trojan or a backdoor).
– The IIS Unicode exploit is an outdated vulnerability and it is presented to be a proof that the vulnerability exist and can be exploited.
23
Hacking Internet Information Server (IIS)
• Buffer overflow attacks– Not unique for web servers– Can also be launched against other types of
systems– Buffer overflows involves sending more data
then the web server is capable of handling.– The primary entry point for buffer overflows is a
web form on the web server.
24
Hacking Internet Information Server (IIS)
• Source Disclosure Attacks– Occurs when the source code of a server
application can be gathered.– It can lead to a hacker identifying the application
type, programming language, and other application-specific information.
– With this information a hacker can identify security holes and potential exploits for them.
25
Hacking Internet Information Server (IIS)
• The most of a hacker’s time is spent gathering information about a target in order to identify the best point of entry for an exploit.
• White Hat Hackers must be aware of all information gathering techniques to identify potential vulnerabilities in web servers and web applications.
• So, they can defend against the same attacks and implement countermeasures to prevent attacks.
26
Patch-Management Techniques
• It is a critical role in preventing and mitigating the risk of attack against web servers and web applications.
• It is the process of updating appropriate patches and hot-fixes required by a system vendor.
• Proper patch-management involves choosing how patches are to be installed and verified.
• Also it involves testing those patches on a non-production network prior to installation.
27
Patch-Management Techniques
• You should maintain a log of all patches applied to each system.
• To make patch installation easer, you can use automated patch management systems.
28
WEB Server Hardening Methods
• Rename the administrator account, and use a strong password.
• Disable default websites and FTP sites.• Remove unused applications from the server.• Disable directory browsing in the web server’s
configuration settings.• Add a legal notice to the site to make potential
attackers aware of the implications of hacking the site.
29
WEB Server Hardening Methods
• Apply the most current patches, hot-fixes, and service packs to the operating system and web server software.
• Perform bound checking on input for web forms and query strings to prevent buffer overflow or malicious input attacks.
• Disable remote administration• Use a script to map unused file extensions
to a 404 (“File not found”) error message.
30
WEB Server Hardening Methods
• Enable auditing and logging.• Use a firewall between the server and the
Internet and allow only necessary ports (such as 80 and 443) through the firewall.
• Replace the GET method with POST method when sending data to a web server.
31
WEB Appliction Vulnerabilities
• Web application vulnerabilities are as much riskly as Web server vulnerabilities.
• Web applications are programs that reside on a web server to give the user functionality beyond just a web server.– Database queries– Webmail– Discussion groups– Blogs
32
WEB Appliction Vulnerabilities
• A web application uses a client/server architecture– The client part runs on web browsers– The server part runs on web server.
• The server is acting as the application server.
• The JavaScript use is the most popular way to implement user interractivity on the client side (web browsers).
33
WEB Appliction Vulnerabilities
• The purpose of hacking a web application is to gain confidential data.
• Web applications are critical to the security of a system because they usually connect to a database that contains:– Identities– Credit card numbers– Passwords
34
WEB Appliction Vulnerabilities
• Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server or web application software.
• Web applications are essentially another door into a system and can be exploited to compromise the system.
• Hacking web application is similar to hacking other systems.
35
WEB Appliction Vulnerabilities
• Hackersfollows a five step process
36
WEB Application Threats and Countermeasures
• Cross-Site Scripting– A parameter entered into a web form is
processed by the web application.– The correct combination of variables can result
in arbitrary command execution.
Countermeasure: Validate cookies, query strings, form fields, and hidden fields.
37
WEB Application Threats and Countermeasures
• SQL Injection– Inserting SQL commands into the URL gets the database
server to dump, alter, delete, or create information in the database.
Countermeasure: Validate the user variables.• Command Injection
– The hacker insert the programming commands into a web form.
Countermeasure: Use language-specific libraries for the programming languages
38
WEB Application Threats and Countermeasures
• Cookie Poisoning and Snooping– The hacker corrupts or steals cookies.
Countermeasure: – Don’t store passwords in cookies.– Implement cookie timeouts.– Authenticate cookies.
• Buffer Overflow– Huge amount of data are sent to a web application through
a web form to execute commands
Countermeasure: – Validate user input length– Perform bound checking
39
WEB Application Threats and Countermeasures
• Authentication Hijacking– The hacker steal s a session once a user has
authenticated.
Countermeasure: – USE SSL to encrypt traffic
• Directory Traversal/Unicode– The hacker browses through the folders on a system via a
web browser or Windows Explorer.
Countermeasure:– Define access rights to private folders on the web server– Apply patches and hotfixes.
40
Google Hacking• Google hacking refers to using Google’s powerful
search engine – to locate high-value targets – To search valuable information such as passwords
• The Google Hacking Database (GHDB) is a database of queries that identify sensitive data.
• Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.
41
Google Hacking• Some of the more popular examples are finding
specific versions of vulnerable Web applications. • The following search query would locate all web
pages that have that particular text contained within them.
• It is normal for default installations of applications to include their running version in every page they serve, e.g.,
"Powered by XOOPS 2.2.3 Final".
42
Google Hacking• Information that the Google Hacking
Database identifies:• Advisories and server vulnerabilities• Error messages that contain too much
information• Files containing passwords• Sensitive directories• Pages containing logon portals• Pages containing network or vulnerability
data such as firewall logs.
43
Google Hacking• The following search query will locate all
websites that have the words "admbook" and "version" in the title of the website.
• It also checks to ensure that the web page being accessed is a PHP file.
intitle:admbook intitle:version filetype:php
44
Google Hacking• Another technique is searching for insecure coding
practices in the public code indexed by Google Code Search or other source code search engines.
• One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the given microscript in Google search field:
"#-Frontpage-" inurl:administrators.pwd
• Devices connected to the Internet can be found. • With the search string below you can find public
web cameras:inurl:"ViewerFrame?Mode="
45
Google Hacking• Check the following links to get more
information about Google hacking:• http://www.informit.com/articles/article.aspx?p=170880 • http://www.acunetix.com/websitesecurity/google-hacking.htm • http://www.eyupcelik.com.tr/guvenlik-araclari/google-hacking-database
• Preventing Google hacking attacks– Remove all pages identified by Google hacking
queries
46
Web Based Password Cracking Techniques
• Authentication Types– Web servers and web applications support multiple
authentication types.– The most common is HTTP authentication.– The two types of HTTP authentications are:
• Basic• Digest
• The basic HTTP authentication sends the username and password in cleartext,
• The digest authentication hashes the credentials and uses a challenge-response model for authentication.
47
Web Based Password Cracking Techniques
• Authentication Types– In addition, web servers and web
appications support the following types of authentication:• NTLM Authentication• Cerfificate-Based Authentication• Token-Based Authentication• Biometric Authentication
48
Web Based Password Cracking Techniques
• Authentication Types– NTLM Authentication
• Uses Internet Explorer and IIS web servers• More suitable for internal authentication on an intranet
that uses Microsoft Operating Systems• Uses Windows servers Kerberos authentication for
more secure option
– Certificate-Based Authentication• Uses an x.509 certificate for public/private key
technology.
49
Web Based Password Cracking Techniques
• Authentication Types– Token-Based Authentication
• A token such as SecureID, is a hardware device that displays an authentication code for 60 seconds.
• A user uses this code to log into a network.– Biometric Authentication
• This type uses a physical characteristic such as fingerprint, eye iris, or handprint to athenticate the user.
50
Web Based Password Cracking Techniques• Password Attacks and Password Cracking
– Three types of password attacks are:• Dictionary
– Uses passwords that can be found in a dictionary
• Brut-Force– Guesses complex passwords that uses letters,
numbers, and special characters• Hybrid
– Uses dictionary words with a number or special character as a substitute for a letter (i.e.. ‘@’ as letter ‘a’, ‘$’ as letter ‘S’)
51
Web Based Password Cracking Techniques
• A scenario of a dictionary password attack1. The hacker can get the hashed password by
sniffing it from a wired or wireless network.2. Obtain a password cracker software.3. Generates / obtain a dictionary of words4. This list of words are hashed or encrypted.5. Every hashed word within the dictionary is checked
with the hashed password6. O any match, the plaintext version of the hashed
word is the searched password.