Web system
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

WEB SYSTEM PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on
  • Presentation posted in: General

WEB SYSTEM. Components of a Generic Web Application System. URL Mappings to the Web Application System. Web Application Architecture. Web Server vs Web Application. Web Server: Serves client request and forward to proper application for further processing (e.g. IIS, Apache, thttpd and etc.)

Download Presentation

WEB SYSTEM

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web system

WEB SYSTEM


Components of a generic web application system

Components of a GenericWeb Application System


Url mappings to the web application system

URL Mappings to the WebApplication System


Web application architecture

Web Application Architecture


Web server vs web application

Web Server vs Web Application

  • Web Server:

    • Serves client request and forward to proper application for further processing (e.g. IIS, Apache, thttpd and etc.)

  • Web Application:

    • Using programming language (e.g. ASP, PHP, Java, .Net, Perl or C) to

    • implement business logic and serve the client

  • Web Application does not run without Web Server

  • Web Server does run without Web Application (Serving static content)

  • Web Application should contain:

    • Web Server and underlying OS

    • Web Application Code

    • Backend Server


Web server vulnerability

Web Server Vulnerability

  • Can be identified by:

    • Port scan for web related ports (TCP 80, 443 and etc)

    • Vulnerability scanner (Whisker.pl, N-Stealth, Nikto.pl and others)

  • Example:

    • IIS

      • File system traversal vulnerability

      • Unicode and superflous decode vulnerability

      • Various buffer overflow in ISAPI filters (.ida, .printer, WebDAV and etc)

  • Impact:

    • Usually the attacker can take over the system running the web server


Web application vulnerability

Web Application Vulnerability

  • Vulnerability on web application itself

  • Can be identified by:

    • Source code review

    • Application testing

      • Automatic scanner

      • Manual testing

  • Example:

    • SQL or command Injection

    • E-Shop lifting

    • Passport reset password flaw

  • Impact:

    • Data confidentiality and integrity breached

    • System compromised


Flowchart for a one way web hack

Flowchart for a One-WayWeb Hack

  • We need two things to make an effective

  • attack:

    • Interactive terminal access

    • Ability to transfer files


Step 1 finding the entry point

Step 1: Finding the Entry Point

  • URL parsing vulnerability

    • n Unicode / Double decode attack

    • http://www1.example.com/scripts/..%c0%af../winnt/system32/cmd.Exe?/C+copy+c:\winnt\system32\cmd.Exe+c:\inetpub \scripts

  • Parameter parsing vulnerability

  • Example: script uses open() insecurely

    • http://www2.example.com/cgi-bin/news.cgi?story=101003.txt|cp+/bin/sh+/usr/local/apache/cgi-bin/sh.cgi

  • SQL Injection

  • Etc…


Invoking the command interpreter

Invoking the CommandInterpreter


Invoking the command interpreter con t

Invoking the CommandInterpreter, con’t

  • Care must be taken to get cmd.exe to receive commands properly

    • Content-length must be right

    • Remember to run “exit” command

  • Make a script to automate POSTing

  • commands

  • This can be done for /bin/sh, too


Web based command prompt

Web Based CommandPrompt

  • POSTing commands isn’t desirable

    • We want to run commands interactively

      • And we don’t want to trip an IDS or get blocked by a firewall

  • Solution: web based command prompt


Web based command prompt wcp

Web Based Command Prompt (WCP)


Installing the web based command prompt

Installing the Web BasedCommand Prompt

  • How do we get our script on the server?

  • Use our script for POSTing commands

  • Script files: write to a file one line at a time using “echo”

    • Script files usually don’t need extra permissions

      • Binary files: on certain shells you can echo

    • arbitrary characters to a file

      • echo -e "\x0B\xAD\xC0\xDE\x0B\xAD\xC0\xDE\x0B\xAD\xC0\xDE" > file


Uploading files

Uploading Files

  • We’d also like to upload files to the server

  • FTP, NFS, NetBIOs aren’t good to use for obvious reasons

  • Create a file uploader script in your favorite language

  • Get it on the server the same way as the web based command prompt


Now what

Now what?

  • Now we can do all sorts of fun stuff!!!

  • Find source code of web apps

  • Find server configuration files

  • Try to perform privilege elevation attacks that work locally

  • Screw with the database


Hacking iis5 windows 2000 server via unicode bug

Hacking IIS5(windows 2000 server) via unicode bug

  • Cari file html disimpan


Hacking iis5 windows 2000 server via unicode bug1

Hacking IIS5(windows 2000 server) via unicode bug

  • Jalankan cmd.exe


Hacking iis5 windows 2000 server via unicode bug2

Hacking IIS5(windows 2000 server) via unicode bug

  • Copy file cmd.exe


Hacking iis5 windows 2000 server via unicode bug3

Hacking IIS5(windows 2000 server) via unicode bug

  • IT’S SHOW TIME ..


Hacking iis5 windows 2000 server via unicode bug4

Hacking IIS5(windows 2000 server) via unicode bug

  • Deface time


Sql injection

SQL Injection

  • Hackers typically test for SQL injection vulnerabilities by sending the application input that would cause the server to generate an invalid SQL query.

  • If the server then returns an error message to the client, the attacker will attempt to reverse-engineer portions of the original SQL query using information gained from these error messages.

  • The typical administrative safeguard is simply to prohibit the display of database server error messages. Regrettably, that’s not sufficient.

  • If your application does not return error messages, it may still be susceptible to “blind” SQL injection attacks.


Solution

Solution

  • To secure an application against SQL injection, developers must never allow client supplied data to modify the syntax of SQL statements.

  • In fact, the best protection is to isolate the web application from SQL altogether.

  • All SQL statements required by the application should be in stored procedures and kept on the database server.

  • The application should execute the stored procedures using a safe interface such as JDBC’s CallableStatement or ADO’s Command Object.

  • If arbitrary statements must be used, use PreparedStatements.

  • Both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible for user input to modify the actual SQL statement.


Web application vulnerability1

Web Application Vulnerability

  • Application Design

  • Application Implementation

  • Application Deployment

  • Infrastructure Configuration


Application design

Application Design

  • Vulnerability in the stage of application design

  • Examples:

    • Weak password (policy)

    • No protection (Encryption) on confidential data

    • Bad choice on using cryptography

    • Weak authentication/authorization mechanism


Application deployment

Application Deployment

  • Transition of application state (e.g. from test to production)

    • Did not strip out information

      • Test/Guest accounts

      • Test information

      • Debug configuration

      • Account/Password information

    • No audit/test before deployment

      • Deployed bugged version

    • Expose test environment


Find web application vulnerability

Find Web Application Vulnerability

  • How Do You Find Web Application Vulnerability Today?

  • Raise Your Hand If You Use Automatic Tool!

  • Raise Your Hand If You Use Manual Test!

  • Raise Your Hand If You Don’t Use Any of Them!


Assesment plan

Assesment Plan

  • Do You know what will be tested?

  • Do you have control to add or delete the test?

  • Who is making the plan?

  • What is the methodology?

  • What is the knowledge base?


Accuracy

Accuracy

  • How accurate is the result?

    • Can any tool identify “ANY” of the case study we are going to talk about?

  • Is it confused by your customized error page?

  • Can it login into your HTML Form-based authentication application?

  • Can it assess authorization or access control problem?


Accountability traceability

Accountability & Traceability

  • Can you verify or reproduce any single vulnerability found?

  • How easy/hard would that be?

  • Can you identify what is the risk brought to you by the vulnerability?

  • Can you change/define how the risk is calculated?


  • Login