WEB HACKING. Unit43-WebHacking

Transcription

1 WEB HACKING Unit43-WebHacking

2 What You Will Find Out About Broad classes of web hacking opportunities Several types of web server vulnerabilities 2

3 Web Hacking Opportunities Web Server Vulnerabilities Web Application Vulnerabilities Back-end Database Vulnerabilities 3

4 Web Server Vulnerabilities Sample Files Source Code Disclosure Canonicalization Server Extensions Input Validation Denial of Service 4

5 Sample Files Web servers are difficult to configure from the ground up. Thus they are distributed with numerous sample files. Microsoft IIS 4.0 sample file vulnerability: Sample scripts showcode.asp and codebrews.asp can reveal contents of files contained on the server (relative path traversal): setup.log 5

6 Source Code Disclosure If an attack allows one to view source code, it may be possible to leverage this to find other files or information. Example: IIS +.htr vulnerability: Appending +.htr in one IIS version caused part of the contents of the referenced file to be returned. global.asa is a desirable target Global.asp configuration file that resides in a known location It contains code associated with new sessions (object, variable, method declarations) It may contain database connect code with the database username and password 6

7 More Source Code Disclosure Bugtraq 2527 Reported a problem common to WebLogicServer and TomcatServer: When URL-encoded replacements for characters appear in a java servlet filename, the server would return source code from the servlet. What character is URL-encoded as %70? 7

8 Canonicalization Often more than one representation for the same string (URL, filename, etc.) exists. In order to determine if a URL or filename matches particular resource, canonicalization is used. [The root word canon = law, means that this is the version of the name given by law.] Canonicalization errors usually occur when the web server canonicalization process fails to faithfully carry out the law. This causes the web server to fail to recognize that a URL is associated with the specific file that it addresses. 8

9 Canonicalization Error Example: Apache A recent version of Apache for Windows could be configured as follows: DocumentRoot C:/Documents and Settings/http/site/docroot ScriptAlias /cgi-bin/ C:/Documents and Settings/http/site/docroot/cgi-bin Normal usage would expect a URL like the following and would execute the script foo: But the source code of the file foo would be delivered by using this URL: because while Apache's routing code is case-sensitive, Windows file system requests are case-insensitive. Apache didn t canonicalize the path name properly. 9

10 Canonicalization Error Example: IIS In 1998, IIS was discovered to be susceptible to what is know as the ASP::$DATA vulnerability. A URL of this form: would reveal the data associated with any asp file. 10

11 Canonicalization Error Example: Do it Again! Do it Again! URL Encoding requires decoding. Often the decoding is done more than one place. This is a mistake. Consider the %25 decodes to % and that %5 decodes to \. Then multiple steps of decoding once can convert a URLs like this: into URLs like this: and finally URLs like this: 11

12 Server Extensions WebDAV (Web Distributed Authoring and Versioning) is a wonderful idea often gone wrong. It was intended to let groups of people remotely author web content. If WebDAV is enabled, requests such as this may function: GET /global.asa\ HTTP/1.0 Host: Translate: f [CRLF] [CRLF] Translate f says to use ISAPI filter httpext.dll before IIS does, and the trailing \ is handled by that filter in a way that causes the request to be sent to the underlying OS filesystem, delivering the file content to the user. 12

13 Input Validation We lump input validation errors into the dinosaur hack category. This can lead to buffer overflows, integer errors, and heap exploits. Unlikely to find format string errors in web servers, but it's possible because web servers do generate log message strings and numerous other strings. 13

14 Denial of Service nruns.com/_downloads/advisory pdf (dead link, now available from described the concept of using naive programming language hash table implementations to waste server time by Identifying many strings that hash to the same location Presenting these strings as POST parameters (which are typically stored in a hash table) to cause server thrashing. All modern runtime environments (PHP5,.NET, Java, Python, Ruby) were susceptible at the time of release in

15 Avoidance? Sample Files Don t provide them! Don t use them.!don t leave them lying around1 Source Code Disclosure Fix the server! Canonicalization Fix the server! Server Extensions Don t use them! Input Validation Fix the server and fix your code! Denial of Service Fix the plugins! 15

16 Links Hacking Exposed Chapter 10 Web and Database Hacking 16