1 / 51

ITEC441- IS Security

ITEC441- IS Security. Chapter 11 – Web Server Security. How WEB Servers Work. WEB servers use Hyper Text Transfer Protocol ( HTTP ) and Hyper Text Transfer Protocol Secure ( HTTPS ) to allow web-based clients to connect them. To view To download the files

kiona
Download Presentation

ITEC441- IS Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITEC441- IS Security Chapter 11 – Web Server Security

  2. How WEB Servers Work • WEB servers use Hyper Text Transfer Protocol (HTTP) and Hyper Text Transfer Protocol Secure (HTTPS) to allow web-based clients to connect them. • To view • To download the files • HTTP is an application layer protocol in TSP/IP stack. • Hyper Text Markup Language (HTML) is the language used to create web pages. • HTML pages are rendered by web browser software on web clients.

  3. How WEB Servers Work • HTTP components

  4. How WEB Servers Work • The WEB client initially opens a connection to the web server IP using TCP port 80. • The WEB server waits for a GET request from the client requesting the home page of the web server. • The web server responds with the HTML code for the web server homepage. • The client process the HTML code and the web client’s browser software renders the page on the client device.

  5. How to Hack/Protect a WEB Servers • Understand how the web server work. • Know the vulnerabilities of a web server. • Learn the type of attacks to the web servers • Know the patch-management techniques • Know how to harden the web servers

  6. Types of WEB Server Vulnerabilities • Misconfiguration of the WEB server software • Default permissions and settings may leave the site open to attack (i.e.. “everyone” group privileges should be shorten ). • Operation System or Application Bugs, or Flaws in Programming Code • OS, WEB Server Application should be patched, updated regularly • OS security patches, hot fixes and updates should be applied to the system automatically or manually. • Vulnerable Default Installation • Do not leave your system with its default settings. • Close un-needed services and ports

  7. Types of WEB Server Vulnerabilities • Hackers exploit these vulnerabilities to gain access to the web server. • WEB servers are usually located in a Demilitarized Zone (DMZ). • DMZ is a publicly accessible area between two packet filtering devices (firewalls) and can be accessed easily by the organization’s client systems. • An exploit of a web server offers a hacker easier access to internal system or database.

  8. The Term: exploit • An exploit is , • a piece of software, • a chunk of data, or • sequence of commands • It that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. • This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack.

  9. Gathering the Page Content • In many cases it is it is useful to gather all or a portion of the files that make up a website. • Use ‘View Source” from the context menu, then download one-by-one the content. • Use “Black Widow” like automated software tools to analyze the structure of a web page, and then select and gather all or a portion of a site.

  10. Attacking a WEB Server • Web servers typically listen on TCP port 80 (http) and TCP port 443 (https). • These ports have to be open and available to web clients. • Any firewall or packet filtering device between the web client and web server passes traffic destined for those ports. • WEB application software also may allow access to additional ports.

  11. Attacking a WEB Server • Banner Grabbing • It is an information gathering step targetting web servers. • It is attempting to gather information about a web server as: • OS • Web server Software (ISS, Apache,...) & version

  12. Attacking a WEB Server • Banner Grabbing • Steps: • At the command prompt telnet <IPAddress> 80 • Next, in the telnet window type HEAD/HTTP/1.0 Then press Enter. • The web server banner will then be returned. Server: Microsoft-ISS/5.0 Date: Tue. 6 Dec 2011 13:41:42 GMT+2 Content-Length:340 Content-type: text/html

  13. Attacking a WEB Server • Banner Grabbing • The banner grabbing usually gives you the web server type and version. • This information is important because exploits against this web server type and version can be identified. • Next step after banner grapping would be to • Attack the web server • Attack the web application • To gain access to data on the server.

  14. Attacking a WEB Server • Defacement • It is a visible type attack against a web server. • Hackers defice website for sheer joyand enhance their reputations • Not for gathering any usefull data • Hackers exploits a vulnerability in the OS or WEB server software and then alters the web site files to show that the site has been hacked.

  15. Attacking a WEB Server • Defacement • Often the hacker displays his/her hacker name on the website’s homepage. • Common website attacks for defacement • Capturing administrator credential through man-in-midddle attacks • Revealing an administrator password through a brut-force attack • Using a DNS attack to redirect users to a different web server

  16. Attacking a WEB Server • Common website attacks for defacement (continues) • Compromising an FTP or email server. • Exploiting web application bugs that result in a vulnerability • Misconfiguring web shares • Taking advantage of weak permissions • Rerouting a client after a firewall or router attack • Using SQL injection attacks (if the SQL server and web server are the same system)

  17. Attacking a WEB Server • Common website attacks for defacement (continues) • Using telnet or Secure Shell (SSH) intrusion • Carrying out URL poisoning, which redirects the user to a different URL. • Using web server extension or remote service intrusion • Intercepting the communication between the client and the server and changing the cookie to make the server believe that there is a user with higher privileges (applies to cookie-enabled security)

  18. Hacking Internet Information Server (IIS) • Windows IIS is one of the most popular web server software product. • Three most common attacks against IIS: • Directory traversal • Source disclosure • Buffer overflow

  19. Hacking Internet Information Server (IIS) • Directory traversal attack (DTA) • The web clients are limited to specific directories within the windows file system. • Only the initial directory (root) and sub-directories of the root is allowed to be accessed for the web clients. • However, a directory-traversal attack permits access to other directories within the file system.

  20. Hacking Internet Information Server (IIS) • Directory traversal attack (DTA) • The unpatched Windows 2000 with IIS has a vulnerability for DTA, also known as Unicode exploit. • This exploit affects CGI scripts and Internet Server Application Interface (ISAPI) extensions sch as .asp • The reason is: IIS parser was not properly interpreting Unicode, thus giving hackers system-level access.

  21. Hacking Internet Information Server (IIS) • Directory traversal attack (DTA) • The Unicode converts characters of any language to a universal hex code specification. • However, the Unicode is inerpreted twice, and the parser only scans the resulting request once. • Hackers could therefore sneak file requests through IIS. • Example: Utilizing %c0% af instead of a slash in a relative pathname exploits the IIS vulnerability.

  22. Hacking Internet Information Server (IIS) • Directory traversal attack (DTA) • This exploit lets the hacker gain access to files normally forbidden to him/her. • Worse, this exploit allow hacker to add, change, or delete files, or upload and run code on the server (a Trojan or a backdoor). • The IIS Unicode exploit is an outdated vulnerability and it is presented to be a proof that the vulnerability exist and can be exploited.

  23. Hacking Internet Information Server (IIS) • Buffer overflow attacks • Not unique for web servers • Can also be launched against other types of systems • Buffer overflows involves sending more data then the web server is capable of handling. • The primary entry point for buffer overflows is a web form on the web server.

  24. Hacking Internet Information Server (IIS) • Source Disclosure Attacks • Occurs when the source code of a server application can be gathered. • It can lead to a hacker identifying the application type, programming language, and other application-specific information. • With this information a hacker can identify security holes and potential exploits for them.

  25. Hacking Internet Information Server (IIS) • The most of a hacker’s time is spent gathering information about a target in order to identify the best point of entry for an exploit. • White Hat Hackers must be aware of all information gathering techniques to identify potential vulnerabilities in web servers and web applications. • So, they can defend against the same attacks and implement countermeasures to prevent attacks.

  26. Patch-Management Techniques • It is a critical role in preventing and mitigating the risk of attack against web servers and web applications. • It is the process of updating appropriate patches and hot-fixes required by a system vendor. • Proper patch-management involves choosing how patches are to be installed and verified. • Also it involves testing those patches on a non-production network prior to installation.

  27. Patch-Management Techniques • You should maintain a log of all patches applied to each system. • To make patch installation easer, you can use automated patch management systems.

  28. WEB Server Hardening Methods • Rename the administrator account, and use a strong password. • Disable default websites and FTP sites. • Remove unused applications from the server. • Disable directory browsing in the web server’s configuration settings. • Add a legal notice to the site to make potential attackers aware of the implications of hacking the site.

  29. WEB Server Hardening Methods • Apply the most current patches, hot-fixes, and service packs to the operating system and web server software. • Perform bound checking on input for web forms and query strings to prevent buffer overflow or malicious input attacks. • Disable remote administration • Use a script to map unused file extensions to a 404 (“File not found”) error message.

  30. WEB Server Hardening Methods • Enable auditing and logging. • Use a firewall between the server and the Internet and allow only necessary ports (such as 80 and 443) through the firewall. • Replace the GET method with POST method when sending data to a web server.

  31. WEB Appliction Vulnerabilities • Web application vulnerabilities are as much riskly as Web server vulnerabilities. • Web applications are programs that reside on a web server to give the user functionality beyond just a web server. • Database queries • Webmail • Discussion groups • Blogs

  32. WEB Appliction Vulnerabilities • A web application uses a client/server architecture • The client part runs on web browsers • The server part runs on web server. • The server is acting as the application server. • The JavaScript use is the most popular way to implement user interractivity on the client side (web browsers).

  33. WEB Appliction Vulnerabilities • The purpose of hacking a web application is to gain confidential data. • Web applications are critical to the security of a system because they usually connect to a database that contains: • Identities • Credit card numbers • Passwords

  34. WEB Appliction Vulnerabilities • Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server or web application software. • Web applications are essentially another door into a system and can be exploited to compromise the system. • Hacking web application is similar to hacking other systems.

  35. WEB Appliction Vulnerabilities • Hackersfollows a five step process

  36. WEB Application Threats and Countermeasures • Cross-Site Scripting • A parameter entered into a web form is processed by the web application. • The correct combination of variables can result in arbitrary command execution. Countermeasure: Validate cookies, query strings, form fields, and hidden fields.

  37. WEB Application Threats and Countermeasures • SQL Injection • Inserting SQL commands into the URL gets the database server to dump, alter, delete, or create information in the database. Countermeasure: Validate the user variables. • Command Injection • The hacker insert the programming commands into a web form. Countermeasure: Use language-specific libraries for the programming languages

  38. WEB Application Threats and Countermeasures • Cookie Poisoning and Snooping • The hacker corrupts or steals cookies. Countermeasure: • Don’t store passwords in cookies. • Implement cookie timeouts. • Authenticate cookies. • Buffer Overflow • Huge amount of data are sent to a web application through a web form to execute commands Countermeasure: • Validate user input length • Perform bound checking

  39. WEB Application Threats and Countermeasures • Authentication Hijacking • The hacker steal s a session once a user has authenticated. Countermeasure: • USE SSL to encrypt traffic • Directory Traversal/Unicode • The hacker browses through the folders on a system via a web browser or Windows Explorer. Countermeasure: • Define access rights to private folders on the web server • Apply patches and hotfixes.

  40. Google Hacking • Google hacking refers to using Google’s powerful search engine • to locate high-value targets • To search valuable information such as passwords • The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. • Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.

  41. Google Hacking • Some of the more popular examples are finding specific versions of vulnerable Web applications. • The following search query would locate all web pages that have that particular text contained within them. • It is normal for default installations of applications to include their running version in every page they serve, e.g., "Powered by XOOPS 2.2.3 Final".

  42. Google Hacking • Information that the Google Hacking Database identifies: • Advisories and server vulnerabilities • Error messages that contain too much information • Files containing passwords • Sensitive directories • Pages containing logon portals • Pages containing network or vulnerability data such as firewall logs.

  43. Google Hacking • The following search query will locate all websites that have the words "admbook" and "version" in the title of the website. • It also checks to ensure that the web page being accessed is a PHP file. intitle:admbook intitle:version filetype:php

  44. Google Hacking • Another technique is searching for insecure coding practices in the public code indexed by Google Code Search or other source code search engines. • One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the given microscript in Google search field: "#-Frontpage-" inurl:administrators.pwd • Devices connected to the Internet can be found. • With the search string below you can find public web cameras: inurl:"ViewerFrame?Mode="

  45. Google Hacking • Check the following links to get more information about Google hacking: • http://www.informit.com/articles/article.aspx?p=170880 • http://www.acunetix.com/websitesecurity/google-hacking.htm • http://www.eyupcelik.com.tr/guvenlik-araclari/google-hacking-database • Preventing Google hacking attacks • Remove all pages identified by Google hacking queries

  46. Web Based Password Cracking Techniques • Authentication Types • Web servers and web applications support multiple authentication types. • The most common is HTTP authentication. • The two types of HTTP authentications are: • Basic • Digest • The basic HTTP authentication sends the username and password in cleartext, • The digest authentication hashes the credentials and uses a challenge-response model for authentication.

  47. Web Based Password Cracking Techniques • Authentication Types • In addition, web servers and web appications support the following types of authentication: • NTLM Authentication • Cerfificate-Based Authentication • Token-Based Authentication • Biometric Authentication

  48. Web Based Password Cracking Techniques • Authentication Types • NTLM Authentication • Uses Internet Explorer and IIS web servers • More suitable for internal authentication on an intranet that uses Microsoft Operating Systems • Uses Windows serversKerberos authentication for more secure option • Certificate-Based Authentication • Uses an x.509 certificate for public/private key technology.

  49. Web Based Password Cracking Techniques • Authentication Types • Token-Based Authentication • A token such as SecureID, is a hardware device that displays an authentication code for 60 seconds. • A user uses this code to log into a network. • Biometric Authentication • This type uses a physical characteristic such as fingerprint, eye iris, or handprint to athenticate the user.

  50. Web Based Password Cracking Techniques • Password Attacks and Password Cracking • Three types of password attacks are: • Dictionary • Uses passwords that can be found in a dictionary • Brut-Force • Guesses complex passwords that uses letters, numbers, and special characters • Hybrid • Uses dictionary words with a number or special character as a substitute for a letter (i.e.. ‘@’ as letter ‘a’, ‘$’ as letter ‘S’)

More Related