How Web Servers Workand web server vulnerabilities
Web servers use Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol
Secure (HTTPS) to allow web-based clients to connect to them and view and download
files. HTTP is an Application-layer protocol in the TCP/IP stack. HTTP and HTTPS are
the primary protocols used by web clients accessing web pages residing on web servers on
the Internet. Hypertext Markup Language (HTML) is the language used to create web
pages and allows those pages to be rendered in web browser software on web clients.
1. The web client initially opens a connection to the web server IP address using TCP port 80.
2. The web server waits for a GET request from the client requesting the home page for
the website.
3. The web server responds with the HTML code for the web server home page.
4. The client processes the HTML code and the web client’s browser software renders the
page on the client device.
Types of Web Server Vulnerabilities
Web servers, like other systems, can be compromised by a hacker. The following vulnerabilities
are most commonly exploited in web servers:
Misconfiguration of the Web Server Software A common issue with using Microsoft’s
Internet Information Server (IIS) as a web server is the use of the default website. The
permissions on the default website are open, meaning the default settings leave the site
open to attack. For example, all users in the everyone group have full control to all the
files in the default website directory. It is critical to edit and restrict permissions once IIS is
installed on the server as the default system user, IUSR_COMPUTERNAME, is a member
of the everyone group. Consequently, anyone accessing the default website will be able to
access all files in the default website folder and will have dangerous permissions such as
Execute and Full Control to the files. See Exercise 8.1 to learn how to disable the default
website in IIS.
Operating System or Application Bugs, or Flaws in Programming Code All programs,
including the OS and web server applications, should be patched or updated on a regular
basis. For Windows systems, this includes security patches, hotfixes, and Windows
Updates. All of these patches can be automated or manually applied to the systems once
they have been tested.
Vulnerable Default Installation Operating system and web server software settings
should not be left at their defaults when installed, and should be updated on a continuous
basis.
Hackers exploit these vulnerabilities to gain access to the web server. Because web servers
are usually located in a demilitarized zone (DMZ)—which is a publicly accessible area between
two packet filtering devices and can be easily accessed by the organization’s client systems—an
exploit of a web server offers a hacker easier access to internal systems or databases.
=>Capturing administrator credentials through man-NN in-the-middle attacks
=> Revealing an administrator password through a brute-force attack
=> Using a DNS attack to redirect users to a different web server
=> Compromising an FTP or email server
=> Exploiting web application bugs that result in a vulnerability
=> Misconfiguring web shares
=> Taking advantage of weak permissions
=> Rerouting a client after a firewall or router attack
=> Using SQL injection attacks (if the SQL server and web server are the same system)
=> Using telnet or Secure Shell (SSH) intrusion
=> Carrying out URL poisoning, which redirects the user to a different URL
=> Using web server extension or remote service intrusion
=> Intercepting the communication between the client and the server and changing the cookie
to make the server believe that there is a user with higher privileges (applies to cookieenabled
security)
Web servers use Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol
Secure (HTTPS) to allow web-based clients to connect to them and view and download
files. HTTP is an Application-layer protocol in the TCP/IP stack. HTTP and HTTPS are
the primary protocols used by web clients accessing web pages residing on web servers on
the Internet. Hypertext Markup Language (HTML) is the language used to create web
pages and allows those pages to be rendered in web browser software on web clients.
The HTTP protocol operates as shown
1. The web client initially opens a connection to the web server IP address using TCP port 80.
2. The web server waits for a GET request from the client requesting the home page for
the website.
3. The web server responds with the HTML code for the web server home page.
4. The client processes the HTML code and the web client’s browser software renders the
page on the client device.
Types of Web Server Vulnerabilities
Web servers, like other systems, can be compromised by a hacker. The following vulnerabilities
are most commonly exploited in web servers:
Misconfiguration of the Web Server Software A common issue with using Microsoft’s
Internet Information Server (IIS) as a web server is the use of the default website. The
permissions on the default website are open, meaning the default settings leave the site
open to attack. For example, all users in the everyone group have full control to all the
files in the default website directory. It is critical to edit and restrict permissions once IIS is
installed on the server as the default system user, IUSR_COMPUTERNAME, is a member
of the everyone group. Consequently, anyone accessing the default website will be able to
access all files in the default website folder and will have dangerous permissions such as
Execute and Full Control to the files. See Exercise 8.1 to learn how to disable the default
website in IIS.
Operating System or Application Bugs, or Flaws in Programming Code All programs,
including the OS and web server applications, should be patched or updated on a regular
basis. For Windows systems, this includes security patches, hotfixes, and Windows
Updates. All of these patches can be automated or manually applied to the systems once
they have been tested.
Vulnerable Default Installation Operating system and web server software settings
should not be left at their defaults when installed, and should be updated on a continuous
basis.
Hackers exploit these vulnerabilities to gain access to the web server. Because web servers
are usually located in a demilitarized zone (DMZ)—which is a publicly accessible area between
two packet filtering devices and can be easily accessed by the organization’s client systems—an
exploit of a web server offers a hacker easier access to internal systems or databases.
Attacking a Web Server
Web servers typically listen on TCP port 80 (HTTP) and TCP port 443 (HTTPS). Because
those ports must be open and available to web clients, any firewalls or packet filtering devices
between the web client and web server must pass traffic destined for those ports. Web application
software sits on top of the web server software and allows access to additional ports.
One of the initial information-gathering steps targeting web servers is banner grabbing.
Banner grabbing is an attempt to gather information about a web server such as the OS and
web server software and version. Exercise 8.3 shows you how to use banner grabbing.
Banner Grabbing
1. At the command prompt on your Windows PC, type
telnet <IPaddress> 80
The IP address is the address of the web server target. Also, the URL can be used
instead of the IP address.
2. Next, in the telnet window type
HEAD/HTTP/1.0
Then press Enter.
The web server banner will then be returned. The banner will look something like the following:
Server: Microsoft-IIS/5.0
Date: Fri, 14 Aug 2009 1:14:42 GMT
Content-Length:340
Content-Type: text/html
The banner grabbing result will usually identify the web server type and version. This
information is important because exploits against this web server type and version can be
identified. The next step after banner grabbing would be to attack the web server or attack
a web application and gain access to data on the server.
A benign but visible type of attack against web servers is defacement. Hackers deface
websites for sheer joy and an opportunity to enhance their reputations rather than gathering
any useful data. Defacing a website means the hacker exploits a vulnerability in the OS or
web server software and then alters the website files to show that the site has been hacked.
Often the hacker displays their hacker name on the website’s home page.
Common website attacks that enable a hacker to deface a website include the following:
=>Capturing administrator credentials through man-NN in-the-middle attacks
=> Revealing an administrator password through a brute-force attack
=> Using a DNS attack to redirect users to a different web server
=> Compromising an FTP or email server
=> Exploiting web application bugs that result in a vulnerability
=> Misconfiguring web shares
=> Taking advantage of weak permissions
=> Rerouting a client after a firewall or router attack
=> Using SQL injection attacks (if the SQL server and web server are the same system)
=> Using telnet or Secure Shell (SSH) intrusion
=> Carrying out URL poisoning, which redirects the user to a different URL
=> Using web server extension or remote service intrusion
=> Intercepting the communication between the client and the server and changing the cookie
to make the server believe that there is a user with higher privileges (applies to cookieenabled
security)
for educational purpose
0 comments:
Post a Comment