ITEC441- IS Security Chapter 11 – Web Server Security.

ITEC441- IS SecurityChapter 11 – Web Server Security

2

How WEB Servers Work• WEB servers use Hyper Text Transfer Protocol

(HTTP) and Hyper Text Transfer Protocol Secure (HTTPS) to allow web-based clients to connect them.– To view– To download the files

• HTTP is an application layer protocol in TSP/IP stack.

• Hyper Text Markup Language (HTML) is the language used to create web pages.

• HTML pages are rendered by web browser software on web clients.

3

How WEB Servers Work• HTTP components

4

How WEB Servers Work1. The WEB client initially opens a connection to the

web server IP using TCP port 80.

2. The WEB server waits for a GET request from the client requesting the home page of the web server.

3. The web server responds with the HTML code for the web server homepage.

4. The client process the HTML code and the web client’s browser software renders the page on the client device.

5

How to Hack/Protect a WEB Servers

1. Understand how the web server work.

2. Know the vulnerabilities of a web server.

3. Learn the type of attacks to the web servers

4. Know the patch-management techniques

5. Know how to harden the web servers

6

Types of WEB Server Vulnerabilities1. Misconfiguration of the WEB server software

• Default permissions and settings may leave the site open to attack (i.e.. “everyone” group privileges should be shorten ).

2. Operation System or Application Bugs, or Flaws in Programming Code• OS, WEB Server Application should be patched, updated

regularly• OS security patches, hot fixes and updates should be applied to

the system automatically or manually.

3. Vulnerable Default Installation• Do not leave your system with its default settings.• Close un-needed services and ports

7

Types of WEB Server Vulnerabilities• Hackers exploit these vulnerabilities to gain access

to the web server.• WEB servers are usually located in a Demilitarized

Zone (DMZ).• DMZ is a publicly accessible area between

two packet filtering devices (firewalls) and can be accessed easily by the organization’s client systems.

• An exploit of a web server offers a hacker easier access to internal system or database.

8

The Term: exploit• An exploit is ,

– a piece of software, – a chunk of data, or – sequence of commands

• It that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.

• This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack.

9

Gathering the Page Content• In many cases it is it is useful to gather all or

a portion of the files that make up a website.– Use ‘View Source” from the context menu, then

download one-by-one the content.– Use “Black Widow” like automated software tools

to analyze the structure of a web page, and then select and gather all or a portion of a site.

10

Attacking a WEB Server• Web servers typically listen on TCP port 80

(http) and TCP port 443 (https).• These ports have to be open and available

to web clients.• Any firewall or packet filtering device

between the web client and web server passes traffic destined for those ports.

• WEB application software also may allow access to additional ports.

11

Attacking a WEB Server• Banner Grabbing

– It is an information gathering step targetting web servers.

– It is attempting to gather information about a web server as:• OS• Web server Software (ISS, Apache,...) &

version

12


– Steps:• At the command prompt

telnet <IPAddress> 80• Next, in the telnet window type

HEAD/HTTP/1.0Then press Enter.

• The web server banner will then be returned. Server: Microsoft-ISS/5.0Date: Tue. 6 Dec 2011 13:41:42 GMT+2Content-Length:340Content-type: text/html

13


– The banner grabbing usually gives you the web server type and version.

– This information is important because exploits against this web server type and version can be identified.

– Next step after banner grapping would be to• Attack the web server• Attack the web application

– To gain access to data on the server.

14

Attacking a WEB Server• Defacement

– It is a visible type attack against a web server.– Hackers defice website for sheer joyand

enhance their reputations – Not for gathering any usefull data– Hackers exploits a vulnerability in the OS or

WEB server software and then alters the web site files to show that the site has been hacked.

15

Attacking a WEB Server• Defacement

– Often the hacker displays his/her hacker name on the website’s homepage.

• Common website attacks for defacement– Capturing administrator credential through man-

in-midddle attacks– Revealing an administrator password through a

brut-force attack– Using a DNS attack to redirect users to a

different web server

16

Attacking a WEB Server• Common website attacks for defacement

(continues)

– Compromising an FTP or email server.– Exploiting web application bugs that result in a

vulnerability– Misconfiguring web shares– Taking advantage of weak permissions– Rerouting a client after a firewall or router attack– Using SQL injection attacks (if the SQL server

and web server are the same system)

17

Attacking a WEB Server• Common website attacks for defacement

(continues)

– Using telnet or Secure Shell (SSH) intrusion– Carrying out URL poisoning, which redirects the user to a

different URL.– Using web server extension or remote service intrusion– Intercepting the communication between the client and the

server and changing the cookie to make the server believe that there is a user with higher privileges (applies to cookie-enabled security)

18

Hacking Internet Information Server (IIS)

• Windows IIS is one of the most popular web server software product.

• Three most common attacks against IIS:– Directory traversal– Source disclosure– Buffer overflow

19


• Directory traversal attack (DTA)– The web clients are limited to specific directories

within the windows file system.– Only the initial directory (root) and sub-

directories of the root is allowed to be accessed for the web clients.

– However, a directory-traversal attack permits access to other directories within the file system.

20


• Directory traversal attack (DTA)– The unpatched Windows 2000 with IIS has a

vulnerability for DTA, also known as Unicode exploit.

– This exploit affects CGI scripts and Internet Server Application Interface (ISAPI) extensions sch as .asp

– The reason is: IIS parser was not properly interpreting Unicode, thus giving hackers system-level access.

21


• Directory traversal attack (DTA)– The Unicode converts characters of any

language to a universal hex code specification.– However, the Unicode is inerpreted twice, and

the parser only scans the resulting request once.– Hackers could therefore sneak file requests

through IIS.– Example: Utilizing %c0% af instead of a slash in

a relative pathname exploits the IIS vulnerability.

22


• Directory traversal attack (DTA)– This exploit lets the hacker gain access to files

normally forbidden to him/her.– Worse, this exploit allow hacker to add, change,

or delete files, or upload and run code on the server (a Trojan or a backdoor).

– The IIS Unicode exploit is an outdated vulnerability and it is presented to be a proof that the vulnerability exist and can be exploited.

23


• Buffer overflow attacks– Not unique for web servers– Can also be launched against other types of

systems– Buffer overflows involves sending more data

then the web server is capable of handling.– The primary entry point for buffer overflows is a

web form on the web server.

24


• Source Disclosure Attacks– Occurs when the source code of a server

application can be gathered.– It can lead to a hacker identifying the application

type, programming language, and other application-specific information.

– With this information a hacker can identify security holes and potential exploits for them.

25


• The most of a hacker’s time is spent gathering information about a target in order to identify the best point of entry for an exploit.

• White Hat Hackers must be aware of all information gathering techniques to identify potential vulnerabilities in web servers and web applications.

• So, they can defend against the same attacks and implement countermeasures to prevent attacks.

26

Patch-Management Techniques

• It is a critical role in preventing and mitigating the risk of attack against web servers and web applications.

• It is the process of updating appropriate patches and hot-fixes required by a system vendor.

• Proper patch-management involves choosing how patches are to be installed and verified.

• Also it involves testing those patches on a non-production network prior to installation.

27

Patch-Management Techniques

• You should maintain a log of all patches applied to each system.

• To make patch installation easer, you can use automated patch management systems.

28

WEB Server Hardening Methods

• Rename the administrator account, and use a strong password.

• Disable default websites and FTP sites.• Remove unused applications from the server.• Disable directory browsing in the web server’s

configuration settings.• Add a legal notice to the site to make potential

attackers aware of the implications of hacking the site.

29


• Apply the most current patches, hot-fixes, and service packs to the operating system and web server software.

• Perform bound checking on input for web forms and query strings to prevent buffer overflow or malicious input attacks.

• Disable remote administration• Use a script to map unused file extensions

to a 404 (“File not found”) error message.

30


• Enable auditing and logging.• Use a firewall between the server and the

Internet and allow only necessary ports (such as 80 and 443) through the firewall.

• Replace the GET method with POST method when sending data to a web server.

31

WEB Appliction Vulnerabilities

• Web application vulnerabilities are as much riskly as Web server vulnerabilities.

• Web applications are programs that reside on a web server to give the user functionality beyond just a web server.– Database queries– Webmail– Discussion groups– Blogs

32


• A web application uses a client/server architecture– The client part runs on web browsers– The server part runs on web server.

• The server is acting as the application server.

• The JavaScript use is the most popular way to implement user interractivity on the client side (web browsers).

33


• The purpose of hacking a web application is to gain confidential data.

• Web applications are critical to the security of a system because they usually connect to a database that contains:– Identities– Credit card numbers– Passwords

34


• Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server or web application software.

• Web applications are essentially another door into a system and can be exploited to compromise the system.

• Hacking web application is similar to hacking other systems.

35


• Hackersfollows a five step process

36

WEB Application Threats and Countermeasures

• Cross-Site Scripting– A parameter entered into a web form is

processed by the web application.– The correct combination of variables can result

in arbitrary command execution.

Countermeasure: Validate cookies, query strings, form fields, and hidden fields.

37


• SQL Injection– Inserting SQL commands into the URL gets the database

server to dump, alter, delete, or create information in the database.

Countermeasure: Validate the user variables.• Command Injection

– The hacker insert the programming commands into a web form.

Countermeasure: Use language-specific libraries for the programming languages

38


• Cookie Poisoning and Snooping– The hacker corrupts or steals cookies.

Countermeasure: – Don’t store passwords in cookies.– Implement cookie timeouts.– Authenticate cookies.

• Buffer Overflow– Huge amount of data are sent to a web application through

a web form to execute commands

Countermeasure: – Validate user input length– Perform bound checking

39


• Authentication Hijacking– The hacker steal s a session once a user has

authenticated.

Countermeasure: – USE SSL to encrypt traffic

• Directory Traversal/Unicode– The hacker browses through the folders on a system via a

web browser or Windows Explorer.

Countermeasure:– Define access rights to private folders on the web server– Apply patches and hotfixes.

40

Google Hacking• Google hacking refers to using Google’s powerful

search engine – to locate high-value targets – To search valuable information such as passwords

• The Google Hacking Database (GHDB) is a database of queries that identify sensitive data.

• Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.

41

Google Hacking• Some of the more popular examples are finding

specific versions of vulnerable Web applications. • The following search query would locate all web

pages that have that particular text contained within them.

• It is normal for default installations of applications to include their running version in every page they serve, e.g.,

"Powered by XOOPS 2.2.3 Final".

42

Google Hacking• Information that the Google Hacking

Database identifies:• Advisories and server vulnerabilities• Error messages that contain too much

information• Files containing passwords• Sensitive directories• Pages containing logon portals• Pages containing network or vulnerability

data such as firewall logs.

43

Google Hacking• The following search query will locate all

websites that have the words "admbook" and "version" in the title of the website.

• It also checks to ensure that the web page being accessed is a PHP file.

intitle:admbook intitle:version filetype:php

44

Google Hacking• Another technique is searching for insecure coding

practices in the public code indexed by Google Code Search or other source code search engines.

• One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the given microscript in Google search field:

"#-Frontpage-" inurl:administrators.pwd

• Devices connected to the Internet can be found. • With the search string below you can find public

web cameras:inurl:"ViewerFrame?Mode="

45

Google Hacking• Check the following links to get more

information about Google hacking:• http://www.informit.com/articles/article.aspx?p=170880 • http://www.acunetix.com/websitesecurity/google-hacking.htm • http://www.eyupcelik.com.tr/guvenlik-araclari/google-hacking-database

• Preventing Google hacking attacks– Remove all pages identified by Google hacking

queries

http://www.informit.com/articles/article.aspx?p=170880



http://www.acunetix.com/websitesecurity/google-hacking.htm

http://www.eyupcelik.com.tr/guvenlik-araclari/google-hacking-database

46

Web Based Password Cracking Techniques

• Authentication Types– Web servers and web applications support multiple

authentication types.– The most common is HTTP authentication.– The two types of HTTP authentications are:

• Basic• Digest

• The basic HTTP authentication sends the username and password in cleartext,

• The digest authentication hashes the credentials and uses a challenge-response model for authentication.

47


• Authentication Types– In addition, web servers and web

appications support the following types of authentication:• NTLM Authentication• Cerfificate-Based Authentication• Token-Based Authentication• Biometric Authentication

48


• Authentication Types– NTLM Authentication

• Uses Internet Explorer and IIS web servers• More suitable for internal authentication on an intranet

that uses Microsoft Operating Systems• Uses Windows servers Kerberos authentication for

more secure option

– Certificate-Based Authentication• Uses an x.509 certificate for public/private key

technology.

49


• Authentication Types– Token-Based Authentication

• A token such as SecureID, is a hardware device that displays an authentication code for 60 seconds.

• A user uses this code to log into a network.– Biometric Authentication

• This type uses a physical characteristic such as fingerprint, eye iris, or handprint to athenticate the user.

50

Web Based Password Cracking Techniques• Password Attacks and Password Cracking

– Three types of password attacks are:• Dictionary

– Uses passwords that can be found in a dictionary

• Brut-Force– Guesses complex passwords that uses letters,

numbers, and special characters• Hybrid

– Uses dictionary words with a number or special character as a substitute for a letter (i.e.. ‘@’ as letter ‘a’, ‘$’ as letter ‘S’)

51


• A scenario of a dictionary password attack1. The hacker can get the hashed password by

sniffing it from a wired or wireless network.2. Obtain a password cracker software.3. Generates / obtain a dictionary of words4. This list of words are hashed or encrypted.5. Every hashed word within the dictionary is checked

with the hashed password6. O any match, the plaintext version of the hashed

word is the searched password.

ITEC441- IS Security Chapter 11 – Web Server Security.

Documents

Transcript of ITEC441- IS Security Chapter 11 – Web Server Security.