Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1
Agenda Introduction What are Web Applications? Web server deployment architecture What is Vulnerabilities Assessment? VA & PT Configuration related vulnerabilities Insecure Configuration Improper error handling Directory Indexing Application related vulnerabilities Technical vulnerabilities Unvalidated input Cross-Site Scripting flaws Content Injection flaws Security Vulnerabilities Denial of Service Session management Secure Architecture Best Practices Q&A 2
What are Web Applications? A web application is an application delivered to users from a web server over a network such as the World Wide Web or an intranet. Web Application Client/Server Software HTTP Browser Web Server 3
Web server deployement architecture 4
Process 5
What is Vulnerabilities Assessment? A vulnerability assessment is the process of identifying, quantifying, and assigning ranking the vulnerabilities in a system. Assessments are typically performed according to the following steps: 1. Cataloging resources in a system. 2. Assigning rank and importance to those resources. 3. Identifying threats and vulnerabilities for each resource. 4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources. What is Penetration Testing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source by using proof of concept instead of using real exploit. 6
VA & PT VA General in scope and includes a large assessment. Predictable. Admin has prior information about scan Unreliable at times and high rate of false positives. Vulnerability assessment invites debate among System Admins. Produces a report with mitigation guidelines and action items. PT Focused in scope and may include targeted attempts to exploit specific vulnerabilities Unpredictable by the recipient. Highly accurate and reliable. Penetration Testing = Proof of Concept against vulnerabilities. Produces a binary result: Either the team owned you, or they didn't. 7
Web Server Configuration related vulnerabilities Insecure Configuration Configuration problems Unpatched security flaws Improper file and directory permissions Overly informative error messages Unnecessary services enabled Default accounts with their default passwords Administrative or debugging functions that are enabled 8
Web Server Configuration related vulnerabilities Improper error handling Introduce a variety of security problems for a web Application. Detailed internal error messages Database dumps Table name Attribute name Error codes are displayed to the user It means any user can easily get access the sensitive information as a legal user by using SQL injection, cross-site scripting etc. 9
Web Server Configuration related vulnerabilities 10
Web Server Configuration related vulnerabilities 11
Web Server Configuration related vulnerabilities Information Disclosure The Information Disclosure section covers attacks designed to acquire system specific information about a web site. Directory Indexing Directory indexing is when a directory listing of files is displayed in a browser instead of an actual web page. This occurs when a URL resolves to a directory that does not contain a default file. Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm/default.asp/default.aspx/index.php) is not present. 12
Web Server Configuration related vulnerabilities 13
Configuration related vulnerabilities The following information could be obtained based on directory indexing data: Backup files - with extensions such as.bak,.old or.org Temporary files Hidden files Naming conventions Enumerate User Accounts Configuration file contents. Script Contents 14
Web Application Related Vulnerabilities Web Application Related Vulnerabilities 15
Web Application Related Vulnerabilities Unvalidated input Parameters uses in URLs, HTTP headers, and forms are often used to control and validate access to sensitive information. Tainted parameters - Any part of an HTTP request that is used by a web application without being carefully validated is known as a tainted parameter. The simplest way to find tainted parameter use is to have a detailed code review, searching for all the calls where information is extracted from an HTTP request 16
Web Application Related Vulnerabilities XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site 17
Web Application Related Vulnerabilities Cross-Site Script Attack URL is sent to the client, which contains a malicious script User click malicious link,the request goes to the server with malicious script. The server sends response back to the client with the malicious script. The browser gets the data from the server with the malicious script & executes that script, as browser assumes that the HTML or script tag was from the requested page. Ways to send attacker s script to victim Message board URL provided on a third-party web site By email 18
Web Application Related Vulnerabilities Content Injection flaws SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database XPath injection - XPath injection allows attacker to manipulate the data in the XML database Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers. 19
SQL Injection through Login Page Using or condition 20
Web Application Attacks : SQL Injection Login form 21
Web Application Related Vulnerabilities Authorization script in the web page: Login.asp <% dim username, password, query dim conn, rs username = Request.Form("userName") password = Request.Form("password") set conn = server.createobject("adodb.connection") set rs = server.createobject("adodb.recordset") query = "select count(*) from users where username='" &username & "' and userpass='" & password & "'" conn.open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeconnection = conn rs.open query if not rs.eof then response.write "Logged In SQL world" else response.write "Bad Credentials" end if %> 22
Web Application Related Vulnerabilities To bypass this authorization, the user will have to enter the following sql code: Username: Ram Password: or 1=1 -- out put -> "Logged In SQL world ". 23
Web Application Attacks : SQL Injection The resultant query would now look like: select count(*) from users where username= Ram and userpass= or 1=1 -- The query now checks for an empty password, 24
Security Vulnerabilities Logical Attacks Denial of Service(DoS) Attacks Temporarily cease operations of web application. Exploiting an application vulnerability 25
Security Vulnerabilities Classification of DoS attacks Bandwidth consumption Resource starvation Programming flaws on web applications DoS targeting a specific user User Accounts locked-out during a password cracking DoS targeting the Database server modify the database so that the system becomes unusable DoS targeting the Web server Buffer Overflow techniques to send a specially crafted request that will crashes the web server process and the system will normally be inaccessible to normal user activity. 26
Web Application Related Vulnerabilities Session management Session Connection (User Server) Temporary & Unique Store parameters relevant to the user A URL containing the session ID might look something like: http://www.12345randomsite.com/view/7ad3072512 2120803 27
Security Vulnerabilities Credential/Session Prediction hijacking or impersonating a web site user. generating an authentication session ID brute forced reverse-engineered session IDs 28
Web Application Related Vulnerabilities Calculate IDs are generated in a non-random manner can be calculated. e.g. http://www.123greetings.com/view/ad3075122110120 Press Back we will see few more URL s with copy of my greeting cards like below: http://www.123greetings.com/view/ad30725122116211 http://www.123greetings.com/view/ad30725122118901 http://www.123greetings.com/view/ad30725122120803 GUESS? Beginning looks fairly constant (AD3) for each session ID 25 July at 12:21,Eliminate the part (07251221) and remaining five digits are randomly generated at the end of the URL s. Prior knowledge of visitor time at which he sends Greeting, we can formulate and guess most of the Session ID except for the last five digits. 29
Secure Architecture 30
BEST PRACTICES Place your web server(s) in a DMZ. Set your firewall to drop connections to your web server on all ports but http (port 80) or https (port 443) should open. Remove all unneeded services from your web server Disallow all remote administration unless it is done using a one-time password or an encrypted link. Limit the number of persons having administrator or root level access. Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on your Intranet. Monitor system logs regularly for any suspicious activity. Remove ALL unnecessary files such as phf from the scripts directory /cgibin. Remove the "default" document trees that are shipped with Web servers Do all updates from your Intranet. Scan your web server periodically with tools like ISS or nmap to look for vulnerabilities. Have intrusion detection software monitor the connections to the server. 31
Thanks pankaj@cert-in.org.in 32