HTTP: Advanced Assessment Techniques

Similar documents
World Wide Web, etc.

CS193i Handout #18. HTTP Part 5

CIT 480: Securing Computer Systems

Web Application Footprints and Discovery

HTTP, circa HTTP protocol. GET /foo/bar.html HTTP/1.1. Sviluppo App Web 2015/ Intro 3/3/2016. Marco Tarini, Uninsubria 1

Defending Web Services using Mod Security (Apache)

Securing The Apache Web Server. Matthew Cook

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

2- Application Level Protocols HTTP 1.0/1.1/2

HTTP TRAFFIC CONSISTS OF REQUESTS AND RESPONSES. All HTTP traffic can be

The HTTP Protocol HTTP

Outline Computer Networking. HTTP Basics (Review) How to Mark End of Message? (Review)

ModSecurity Use Case: Web 2.0 Defense with Ajax Fingerprinting and Filtering

Application Layer Introduction; HTTP; FTP

Applications & Application-Layer Protocols: The Web & HTTP

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CS144 Notes: Web Standards

HyperText Transfer Protocol

CSE 333 Lecture HTTP

Hypertext Transport Protocol

Security Advisory on Updates to Pivotal / VMware vfabric Web Server

Web Hacking: Attacks And Defense By Saumil Shah, Stuart McClure READ ONLINE

Web Application Penetration Testing

RKN 2015 Application Layer Short Summary

ECE697AA Lecture 2. Today s lecture

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

CS631 - Advanced Programming in the UNIX Environment

Security and network design

1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10

Computer Networks. Wenzhong Li. Nanjing University

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Web, HTTP and Web Caching

Stopping Automated Application Attack Tools

HTTP Protocol and Server-Side Basics

Base64 The Security Killer

Proxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24

Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

CSE 333 Lecture HTTP

Web History. Systemprogrammering 2006 Föreläsning 9 Web Services. Internet Hosts. Web History (cont) 1945: 1989: Topics 1990:

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Giving credit where credit is due

5/11/2009. Better to light a candle than to curse the darkness. Case Study: Reconnaissance Leaks & Corporate Assets

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

LAMP, WEB ARCHITECTURE, AND HTTP

HTTP Fingerprinting. The next generation. Eldar Marcussen Stratsec.

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Volume INFOSEC4FUN/UNIX4FUN DOCS. IT Troubleshooting Documentation. Troubleshooting the Stack

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Pluggable Transports Roadmap

Lecture Overview : Computer Networking. Applications and Application-Layer Protocols. Client-Server Paradigm

Web Client And Server

Project 1: Web Client and Server

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

CSSE 460 Computer Networks Group Projects: Implement a Simple HTTP Web Proxy

Chapter 2 Application Layer

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

World Wide Web. Before WWW

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

Browser behavior can be quite complex, using more HTTP features than the basic exchange, this trace will show us how much gets transferred.

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

CS 43: Computer Networks. Layering & HTTP September 7, 2018

Introduction to Ethical Hacking

1.1 A Brief Intro to the Internet

HTTP Review. Carey Williamson Department of Computer Science University of Calgary

1.1 A Brief Intro to the Internet

Penetration Testing with Kali Linux

Web Programming 4) PHP and the Web

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security Testing is performed to reveal security flaws in the system in order to protect data and maintain functionality.

CS 43: Computer Networks. HTTP September 10, 2018

Web Engineering. Basic Technologies: Protocols and Web Servers. Husni

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

TACACS Support APIs. curl -k -v -u "admin:cisco123" -H Accept:application/vnd.yang.data+xml -H ContentType:application/vnd.yang.

Lecture Overview. Lecture 3 Design Philosophy & Applications. Internet Architecture. Priorities

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Announcements Fawzi Emad, Computer Science Department, UMCP

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Computer Networks - A Simple HTTP proxy -

Host Website from Home Anonymously

Applications & Application-Layer Protocols: The Web & HTTP

CSI 32. Lecture 22. Chapter A Network Primer 16.2 Writing a Basic Client

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

How were the Credit Card Numbers Published on the Web? February 19, 2004

Recitation 13: Proxylab Network and Web

COSC 2206 Internet Tools. The HTTP Protocol

COMP6218: Content Caches. Prof Leslie Carr

Security II: Web authentication

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Certified Secure Web Application Engineer

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Scan of

C22: Browser & Web Server Communication

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Transcription:

HTTP: Advanced Assessment Techniques Saumil Shah Director of R&D, NT Objectives Inc. Director, Net-Square Author: ÒWeb Hacking - Attacks and DefenseÓ BlackHat Windows Security 2003, Seattle

The Web HackerÕs playground Web Client Web Server Web app Web app Web app Web app DB DB

The Evolution of Web Hacking Classic ÒphfÓ bug Automated web vulnerability checking Input validation attacks Buffer overflows Source code disclosure Session Hijacking Lame attacks (the client side XS? attacks)

The Evolution of Web Defense Tight web server configuration. Web server plug-in filters. Secure coding (yea rright) Security by obscurity.

Security by obscurity Who is running IIS? É Not me! Web server target acquisition: largely by banner grabbing $ nc 192.168.7.247 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://192.168.7.247/default.htm Date: Fri, 01 Jan 1999 20:09:05 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:09:05 GMT ETag: W/"e0d362a4c335be1:ae0" Content-Length: 133

Security by obscurity Patch web server binaries to change server banner. e.g. ÒMicrosoft-IIS/5.0Ó rewritten to be ÒApache/1.3.26Ó If source is available, recompile with different server banner. e.g. ÒApache/1.3.26Ó rewritten to be ÒWebSTARÓ Works well in defeating certain automated attacks.

Security by obscurity Web server configuration rules / plug-ins to disguise the server header. Re-order HTTP header fields, change cookie names, filter certain responses, etc. $ nc 192.168.7.247 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 01 Jan 1999 20:06:24 GMT Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Content-Location: http://192.168.7.247/default.htm Last-Modified: Fri, 01 Jan 1999 20:06:24 GMT ETag: W/"e0d362a4c335be1:ae0" Accept-Ranges: bytes Content-Length: 133 Content-Type: text/html with ServerMask 2.0

HTTP Fingerprinting Objective: To accurately determine the underlying web server platform. Also attempt to uncover any plug-ins, app servers, etc. Based on implementation assumptions / peculiarities of the HTTP protocol spec.

HTTP Fingerprinting Fingerprinting logic Decision-tree based methods Statistical methods Neural Network based methods Fingerprinting engine Set of test cases, carefully chosen Response-tree Weight vectors

HTTP Fingerprinting Techniques Deviation from HTTP RFCs Behaviour not specified by the HTTP RFCs Default behaviour Header field order Implementation peculiarities Error analysis Cookie strings É similar to OS fingerprinting

HTTP Fingerprinting - Accuracy Choice of test cases Decision-trees are hard to scale Choice of result weights Scoring system Training input set (for neural networks)

HTTP Fingerprinting - example 1 REPORTED: Apache-AdvancedExtranetServer/1.3.19 (Linux- Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Best Match: Apache/1.3.x Microsoft-IIS/4.0: 23 Netscape-Enterprise/6.0: 24 Microsoft-IIS/5.0: 23 Netscape-FastTrack/4.1: 37 Microsoft-IIS/5.1: 22 Netscape-Enterprise/4.0: 10 Microsoft-IIS/6.0: 19 Netscape-Enterprise/4.1: 37 Microsoft-IIS/URLScan: 18 Netscape-Enterprise/3.6: 10 Apache/2.0.x: 70 Zeus/4.0: 29 Apache/1.3.27: 77 Zeus/4.1: 28 Apache/1.3.26: 76 Zeus/4_2: 23 Apache/1.3.x: 78 Lotus-Domino/5.0.x: 1 Apache/1.2.6: 73 AOLserver/3.4.2-3.5.1: 20 Stronghold/4.0-Apache/1.3.x: 68 Stronghold/2.4.2-Apache/1.3.x: 38 No obfuscation. Verification of testing.

HTTP Fingerprinting - example 2 REPORTED: WebSTAR Best Match: Apache/1.3.27 Apache/1.3.26 Microsoft-IIS/4.0: 29 Netscape-Enterprise/6.0: 26 Microsoft-IIS/5.0: 29 Netscape-FastTrack/4.1: 23 Microsoft-IIS/5.1: 29 Netscape-Enterprise/4.0: 14 Microsoft-IIS/6.0: 39 Netscape-Enterprise/4.1: 23 Microsoft-IIS/URLScan: 27 Netscape-Enterprise/3.6: 25 Apache/2.0.x: 56 Zeus/4.0: 10 Apache/1.3.27: 59 Zeus/4.1: 21 Apache/1.3.26: 59 Zeus/4_2: 27 Apache/1.3.x: 58 Lotus-Domino/5.0.x: 1 Apache/1.2.6: 43 AOLserver/3.4.2-3.5.1: 34 Stronghold/4.0-Apache/1.3.x: 51 Stronghold/2.4.2-Apache/1.3.x: 56 Recompiled Apache - banner patching. Easy to tell

HTTP Fingerprinting - example 3 REPORTED: Apache/1.3.23 (Unix) Best Match: Microsoft-IIS/4.0 Microsoft-IIS/4.0: 63 Netscape-Enterprise/6.0: 25 Microsoft-IIS/5.0: 53 Netscape-FastTrack/4.1: 28 Microsoft-IIS/5.1: 54 Netscape-Enterprise/4.0: 11 Microsoft-IIS/6.0: 31 Netscape-Enterprise/4.1: 28 Microsoft-IIS/URLScan: 50 Netscape-Enterprise/3.6: 22 Apache/2.0.x: 40 Zeus/4.0: 15 Apache/1.3.27: 49 Zeus/4.1: 16 Apache/1.3.26: 48 Zeus/4_2: 23 Apache/1.3.x: 48 Lotus-Domino/5.0.x: 2 Apache/1.2.6: 48 AOLserver/3.4.2-3.5.1: 21 Stronghold/4.0-Apache/1.3.x: 35 Stronghold/2.4.2-Apache/1.3.x: 33 Servermask: Scores are close enough to one another. Bit harder to tell.

HTTP Response Codes Customised error pages. A non existent page should return an HTTP 404 code. Many servers return: 301/302 - redirect to some starting page 200 OK - to fool crawlers Éand other customised codes.

Page Signatures Objective: To accurately identify proper HTTP response codes. Minimize false positives. Greatly helps in automated testing. Can be extended beyond error detection e.g. group similar pages together

Page Signatures Each HTTP response has a page signature. Content independent. Ability to overlook random content. Constant length. Computation time: O(n) Comparision time: O(k) 200:A302E6F1DC10112A5AF8624E5EA11B367F93DD04

Normal error page $ nc 192.168.7.70 8222 GET /junk HTTP/1.0 HTTP/1.1 404 Not Found Date: Tue, 04 Feb 2003 06:22:00 GMT Server: Apache/1.3.26 (Unix) mod_perl/1.26 mod_ssl/2.8.9 OpenSSL/0.9.6e Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /junk was not found on this server.<p> <HR> <ADDRESS>Apache/1.3.26 Server at 192.168.7.70 Port 8222</ADDRESS> </BODY></HTML>

Customised error page $ nc 192.168.7.70 8222 GET /junk HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 04 Feb 2003 01:41:06 GMT Server: Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Connection: close Content-Type: text/html; charset=iso-8859-1 <html><body><h1>sorry!</h1><p>random number: 318405.070147527<p>The link you requested <b>http://192.168.7.2/junk</b> was not found <p>please contact the site administrator at <a href="mailto:root@dev.null"> root@dev.null</a> if you feel this is in error. Alternately, try searching with Google <p>in 1 minute, you will be refreshed back to the main page <p><form method=get action=http://www.google.com/search> <IMG SRC=http://www.google.com/logos/Logo_40wht.gif border=0 ALT=Google align=absmiddle> <INPUT TYPE=text name=q size=15 maxlength=255><input type=submit name=btng VALUE=Search> </FORM></body></html>

Dealing with random content Page signatures are independent of content 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/junk 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/foundsquat 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/nope.html All of the above are 404 pages. Though their content may change, their signature doesnõt.

Reverse Proxy Servers Web proxy servers may work both ways! Typically meant to allow users from within a network to access external web sites. May end up proxying HTTP requests from the outside world to the internal network. e.g. Compaq Insight Manager Usually happens when the front end web server proxies requests to back end app servers.

Reverse Proxying 10.0.0.3 Web Client 10.0.0.1 DB GET http://10.0.0.3/ HTTP/1.0

Port Scanning through Proxies Issue multiple GET requests to the proxy: GET http://10.0.0.3:21/ HTTP/1.0 GET http://10.0.0.3:25/ HTTP/1.0 GET http://10.0.0.3:135/ HTTP/1.0 GET http://10.0.0.3:139/ HTTP/1.0 Use Page signatures to identify accurately if a port is open on an internal host.

Better CONNECTivity HTTP CONNECT can be used to open up a bi-directional TCP connection. Originally intended for SSL traffic. Often overlooked. Ability to tunnel arbitrary TCP data over an HTTP proxy connection. Once CONNECTed, the proxy simply passes the TCP data back and forth.

An Advanced HTTP attack example Scan an internal network through a proxy. 0wn a server on the internal network via Òone-wayÓ hacking techniques. Plant port redirectors through HTTP uploads. Set up a connection via HTTP CONNECT through the proxy to the internal redirector. É where the ÒArt of Attack and PenetrationÓ leaves off!

Closing Thoughts ÒYou cant patch (or hide) carelessnessó. Web Hacking: Attacks and Defense Saumil Shah, Shreeraj Shah, Stuart McClure Addison Wesley Ð 2002.

Thank you! saumil@ntobjectives.com saumil@net-square.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback