. 1 Web-Based Hacking: Servers and Applications Chapter #6: CIS 4500 Outline n Identify features of common web server architecture n Identify web application function and architecture points n Describe web server and web application attacks n Identify web server and application vulnerabilities n Identify web application hacking tools Web-Based Hacking: Servers and Applications 2 CIS 4500 Phases of Hacking Web-Based Hacking: Servers and Applications 3 CIS 4500 Web Organizations Web-Based Hacking: Servers and Applications 4
6
Embed
Web-Based Hacking: Servers and Applicationsrowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter06.pdf · n A4 – Insecure Direct Object References: A direct object reference occurs
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
.
1
Web-Based Hacking: Servers and Applications
Chapter #6:
CIS 4500
Outline
n Identify features of common web server architecture
n Identify web application function and architecture points
n Describe web server and web application attacks
n Identify web server and application vulnerabilities
n Identify web application hacking tools
Web-Based Hacking: Servers and Applications 2
CIS 4500
Phases of Hacking
Web-Based Hacking: Servers and Applications 3 CIS 4500
Web Organizations
Web-Based Hacking: Servers and Applications 4
.
2
CIS 4500
Web Organizations
n IETF
n RFCs
n W3C
n OWASP
n Top 10 Project
n MITRE
Web-Based Hacking: Servers and Applications 5 CIS 4500
OWASP Top 10 Web Vulnerabilities
n A1 – Injection Flaws: Injection flaws, such as SQL, OS, and LDAP
injection, occur when untrusted data is sent to an interpreter as part
of a command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands or accessing data
without proper authorization.
n A2 – Broken Authentication and Session Management:
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.
Web-Based Hacking: Servers and Applications 6
CIS 4500
OWASP Top 10 Web Vulnerabilities
n A3 – Cross-Site Scripting (XSS): XSS flaws occur whenever an
application takes untrusted data and sends it to a web browser
without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser, which can hijack user sessions, deface
websites, or redirect the user to malicious sites.
n A4 – Insecure Direct Object References: A direct object reference
occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, or database key.
Without an access control check or other protection, attackers can
manipulate these references to access unauthorized data.
Web-Based Hacking: Servers and Applications 7 CIS 4500
n A5 – Security Misconfiguration: Good security requires having a secure
configuration defined and deployed for the application, frameworks,
application server, web server, database server, and platform. Secure
settings should be defined, implemented, and maintained, as defaults are
often insecure. Additionally, software should be kept up to date.
n A6 – Sensitive Data Exposure: Many web applications do not properly
protect sensitive data, such as credit cards, tax IDs, and authentication
credentials. Attackers may steal or modify such weakly protected data to
conduct credit card fraud, identity theft, or other crimes. Sensitive data
deserves extra protection, such as encryption at rest or in transit, as well
as special precautions when exchanged with the browser.
Web-Based Hacking: Servers and Applications 8
OWASP Top 10 Web Vulnerabilities
.
3
CIS 4500
n A7 – Missing Function Level Access Control: Most web applications
verify function level access rights before making that functionality visible
in the UI. However, applications need to perform the same access control
checks on the server when each function is accessed. If requests are not
verified, attackers will be able to forge requests in order to access
functionality without proper authorization.
n A8 – Cross-Site Request Forgery (CSRF): A CSRF attack forces a
logged-on victim’s browser to send a forged HTTP request, including the
victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. This allows the
attacker to force the victim’s browser to generate requests the vulnerable
application thinks are legitimate requests from the victim. Web-Based Hacking: Servers and Applications 9
OWASP Top 10 Web Vulnerabilities
CIS 4500
n A9 – Using Components with Known Vulnerabilities: Components,
such as libraries, frameworks, and other software modules, almost always
run with full privileges. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications
using components with known vulnerabilities may undermine application
defenses and enable a range of possible attacks and impacts.
n A10 – Unvalidated Redirects and Forwards: Web applications
frequently redirect and forward users to other pages and websites, and
use untrusted data to determine the destination pages. Without proper
validation, attackers can redirect victims to phishing or malware sites, or
use forwards to access unauthorized pages.
Web-Based Hacking: Servers and Applications 10
OWASP Top 10 Web Vulnerabilities
CIS 4500
Attacking Web Servers
n Methodology:
n information gathering
n footprinting
n mirroring websites
n vulnerability scanning
n session hijacking
n password cracking
Web-Based Hacking: Servers and Applications 11 CIS 4500
Exploring Web Servers
n “How to hack a web server”
n nikto – Vulnerability Analysis
n Burp Suite – Web Application Analysis
n HTTrack – Web Application Analysis – mirror a website
n sqlmap – Web Application Analysis
n Nessus – automated scans
Web-Based Hacking: Servers and Applications 12
.
4
CIS 4500
Web Server Architecture
n Apache
n nginx
n IIS
Web-Based Hacking: Servers and Applications 13 CIS 4500
HTTP Request Methods
n The GET method means retrieve whatever information (in
the form of an entity) is identified by the Request-URI.
n The HEAD method is identical to GET except that the
server MUST NOT return a message-body in the response.
n The POST method is used to request that the origin server
accept the entity of the resource identified by the Request-
URI in the Request-Line. The actual function performed by
the POST method is determined by the server and is
usually dependent on the Request-URL. Web-Based Hacking: Servers and Applications 14
CIS 4500
HTTP Request Methods
n The PUT method requests that the enclosed entity be
stored under the supplied Request-URI.
n The DELETE method requests that the origin server delete
the resource identified by the Request-URI.
n The TRACE method is used to invoke a remote,
application-layer loop-back of the request message.
n The CONNECT method is reserved for use with a proxy
that can dynamically switch to being a tunnel.
Web-Based Hacking: Servers and Applications 15 CIS 4500
Reserved Characters
n Don’t use space
(though: this%20might%20work)
n Special characters
“ ‘ ; / ? : \ @ = & | < # >
n Special directory names
cgi-bin
Web-Based Hacking: Servers and Applications 16
.
5
CIS 4500
HTTP Status Codes
n 1xx: Informational
Request received, continuing process.
n 2xx: Success
The action was successfully received, understood, and
accepted.
n 3xx: Redirection
Further action must be taken in order to complete the request.
n 4xx: Client Error
The request contains bad syntax or cannot be fulfilled.
n 5xx: Server Error
The server failed to fulfill an apparently valid request.
Web-Based Hacking: Servers and Applications 17 CIS 4500
Web Server Attacks
n Many (general)
n password attacks
n denial of service
n man in the middle (sniffing)
n DNS poison-ing (a.k.a. hijacking)
n phishing
Web-Based Hacking: Servers and Applications 18
CIS 4500
Web Server Attacks
n Traversal (on older servers: ../../)
n Manipulating hidden fields
n Misconfiguration
Web-Based Hacking: Servers and Applications 19 CIS 4500