1 / 30

Web Site Hacking

Web Site Hacking. Objectives. Describe Web applications Explain Web application vulnerabilities Describe the tools used to attack Web servers. Targets. Normally, a Web application is supported by a Web server that runs on a general-purpose or embedded OS.

mali
Télécharger la présentation

Web Site Hacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Site Hacking

  2. Objectives • Describe Web applications • Explain Web application vulnerabilities • Describe the tools used to attack Web servers

  3. Targets • Normally, a Web application is supported by a Web server that runs on a general-purpose or embedded OS. • Each component (application, server, and OS) has its own set of vulnerabilities, but when these components are combined, there’s an increased risk of Web applications being compromised. • Can exploit a minor vulnerability in one function, such as a Web mail application, and use it as a stepping stone to launch additional attacks against the OS.

  4. Web Application Components • Static Web Pages • Dynamic Web Pages • CGI Common Gateway Interface • Active Server Pages (ASP), • PHP, • ColdFusion, • JavaScript, • and database connector strings, such as Open Database Connector (ODBC).

  5. Scripting Languages • PHP Hypertext Processor • ColdFusion • VBScript • JavaScript

  6. PHP Hypertext Processor • <html> • <head> • <title>My First PHP Program</title> • </head> • <body> • <?php echo '<h1>Hello, Security Testers!</h1>'; ?> • </body> • </html>

  7. ColdFusion • <html> • <head> • <title>Using CFML</title> • </head> • <body> • <CFLOCATION URL="www.isecom.org" ADDTOKEN="NO"> • </body> • </html>

  8. VBScript • <html> • <body> • <script type="text/vbscript"> • document.write ("<h1>Hello Security Testers!</h1>") • document.write ("Date Activated: " & date()) • </script> • </body> • </html>

  9. JavaScript • <html> • <head> • <script type="text/javascript"> • function chastise_user() • { • alert("So, you like breaking rules?") • document.getElementById("cmdButton").focus() • } • </script> • </head> • <body> • <h3>"If you are a Security Tester, please do not click the command button below!"</h3> • <form> • <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> • </form>

  10. Connecting to Databases • Open Database Connectivity • Object Linking and Embedding Database • ActiveX Data Objects

  11. Open Database Connectivity (ODBC) • The ODBC interface allows an application to access data stored in a database management system (DBMS). • Established Interoperability between back-end DBMSs and applications • A standardized representation for data types • A library of ODBC function calls that allow an application to connect to a DBMS, run SQL statements, and retrieve the results • A standard method of connecting to and logging on to a DBMS

  12. Object Linking and Embedding Database (OLE DB) • A set of interfaces that enable applications to access data stored in a DBMS. • faster, more efficient, and more stable than its predecessor, ODBC. • OLE DB relies on connection strings that allow the application to access data stored on an external device. • Depending on the data source you’re connecting to, you might use a different provider. • For example, connecting to an SQL database requires using SQLOLEDB as the provider instead of Microsoft.Jet.

  13. Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Personnel.mdb; User ID=; Password=;

  14. ActiveX Data Objects (ADO) • A programming interface for connecting a Web application to a database. • To access a database from an ASP Web page, you follow these general steps: • Create an ADO connection to the database you want to access. • Open the database connection you created in Step 1. • Create an ADO recordset, which contains rows from the table you’re accessing. • Open the recordset. • Select the data you need from the recordset, based on particular criteria. • Close the recordset and the database connection.

  15. Cross-site scripting (XSS) • AWeb browser might carry out code sent from a Web site. Attackers can use a Web application to run a script on the Web browser of the system they’re attacking. • XSS is one of the easiest types of attacks to perform, which also makes it one of the most common; attackers simply save the form to their local computers and change the form field values. • This type of attack is also one of the easiest to protect against by making sure that any “post” action is coming from your Web site.

  16. index.php?name=guest<script>alert('attacked')</script>

  17. Injection flaws • Many Web applications pass parameters when accessing an external system. • A Web application that accesses a database server needs to pass logon information to the database server. • An attacker can embed malicious code and run a program on the database server or send malicious code in an HTTP request. • Basically, the attacker is tricking the Web application into running malware or making unauthorized changes to data.

  18. Malicious file execution • Some Web applications allow users to reference or upload files containing malware. • If these references or files aren’t checked before the Web application executes them, they can give attackers complete control of the system.

  19. Unsecured direct object reference • This vulnerability occurs when information returned via the URL to a user’s Web browser contains information (references) about files, directories, or database records. • By simply changing the information in the URL, attackers can gain unauthorized access to information.

  20. Information leakage and incorrect error handling • If an error occurs during normal operations and isn’t handled correctly, information sent to users might reveal information attackers can use. • For example, attackers can take advantage of error messages that reveal what was executed on the stack or indicate what Web software is used.

  21. Unsecured cryptographic storage • Storing keys, certificates, and passwords on a Web server can be dangerous. If an attacker can gain access to these mechanisms, the server is vulnerable to attack. To decrease the chances of a compromise, don’t store confidential data, such as customers’ credit card numbers, on your Web server. Instead, require that confidential data be entered each time users visit the Web site.

  22. Unsecured communication • Connections between the Web browser and the Web application should be encrypted to protect information as it travels across the Internet. Web applications need to encrypt not only the session to the Web browser, but also sessions to any other servers, such as back-end databases. This vulnerability occurs when sessions are left unencrypted.

  23. Failure to restrict URL access • This vulnerability occurs when developers don’t use adequate access controls for URLs. Instead, they rely on a “security through obscurity” model, which depends on users simply not being aware of the location of critical files and directories.

  24. Canonicalization (dot-dot-slash) Attacks • IIS didn’t correctly parse the URL information users entered, which allowed attackers to launch a Unicode exploit. • For example, if a user entered the /../.. sequence of characters in a URL, IIS indicated an error. • To bypass this check in IIS, attackers substituted the Unicode equivalent of ../: ..%255c. • http://www.nopatchiss.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c

  25. Sql Injections • SELECT * FROM customer WHERE tblusername = 'bob' AND tblpassword = 'password' • ' OR 1=1 – • SELECT * FROM customer WHERE tblusername = '' OR 1=1 -- ' AND tblpassword = '‘ • Because 1=1 is always true, the query is carried out successfully. Double hyphens (--) are used in SQL to indicate a comment.

  26. ' OR "=“ for both • SELECT * FROM customer WHERE tblusername = ' OR "=" AND tblpassword = ' OR "="

  27. Cgiscan: A CGI Scanning Tool • A tool for searching Web sites for CGI scripts that can be exploited. • Cgiscan, a C program that must be compiled, is included here as an example of a security tool written in C. • Tests for new CGI vulnerabilities can be included by adding code and then recompiling.

  28. Wapiti • It inspects a Web site by searching from the outside for ways to take advantage of XSS, SQL, PHP, JSP, and file-handling vulnerabilities. • Can detect common forms that allow uploads or command injection, it uses what’s called “fuzzing”—trying to inject data into whatever will accept it. In this way, even new vulnerabilities can be discovered.

  29. Wfetch • A GUI tool that can be downloaded free from Microsoft and is included in the IIS Resource Kit.

More Related