1. Hacking Web Servers April 15, 2010 MIS 4600 – MBA 5880 - © Abdou Illia

2. Objectives  Describe Web applications  Explain Web application vulnerabilities  Describe the tools used to attack Web servers 2

3. Web Applications components  Static Web pages  Created using HTML  Dynamic Web pages  Need special components  tags  Common Gateway Interface (CGI)  Active Server Pages (ASP)  PHP  ColdFusion  Scripting languages  Database connectors 3

4. Active Server Pages (ASP)  With ASP, developers can display HTML documents to users on the fly  Main difference from pure HTML pages  When a user requests a Web page, one is created at that time  ASP uses scripting languages such as JScript or VBScript  Not all Web servers support ASP 4

5. Active Server Pages (ASP) (continued)  ASP example My First ASP Web Page Hello, security professionals The time is.  Microsoft does not want users to be able to view an ASP Web page’s source code  This can create serious security problems 5

6. Apache Web Server  Tomcat Apache is another Web Server program  Tomcat Apache hosts anywhere from 50% to 60% of all Web sites  Advantages  Works on just about any *NIX and Windows platform  It is free  Requires Java 2 Standard Runtime Environment (J2SE, version 5.0) 6

7. Using Scripting Languages  Dynamic Web pages can be developed using scripting languages  VBScript  JavaScript  PHP 7

8. PHP: Hypertext Processor (PHP)  Enables Web developers to create dynamic Web pages  Similar to ASP  Open-source server-side scripting language  Can be embedded in an HTML Web page using PHP tags  Users cannot see PHP code on their Web browser  Used primarily on UNIX systems  Also supported on Macintosh and Microsoft platforms 8

9. 9 9  PHP example My First PHP Program Hello, Security Testers! '; ?>  As a security tester you should look for PHP vulnerabilities PHP: Hypertext Processor (cont.)

10. VBScript  Visual Basic Script is a scripting language developed by Microsoft  Converts static Web pages into dynamic Web pages  Takes advantage of the power of a full programming language  VBScript is also prone to security vulnerabilities  Check the Microsoft Security Bulletin for information about VBScript vulnerabilities 10

11. VBScript (cont.)  VBScript example document.write(" Hello Security Testers! ") document.write("Date Activated: " & date()) 11

12. 12

13. 13 JavaScript  Popular scripting language  JavaScript also has the power of a programming language  Branching  Looping  Testing  Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers

14. JavaScript (continued)  JavaScript example function chastise_user() { alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus() } "If you are a Security Tester, please do not click the command button below!" <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> 14

15. 15

16. 16

17. SQL injection attacks  Imagine this form 17 Username:  Validate.asp Dim username, password, sql-statemet dim comm, rs username = request.Form(“username”) password = reqiest.Form(“password”) set comm = server.createObject(“ADODB.Connection” set rs = server.createObject(ADODB.Recordset) sql_statement = “SELECT * FROM customer WHERE tblusername = ‘” & username & “ ‘ AND tblpassword=‘” & password & “’” comm.Open “provider=SQLOLEDB; Data Source=(local); Initial Catalog=CustomerDB; User Id=sa; Password=“ rs.Open sql_statement if not rs.eof the response.write “Welcome!” else response.write “Please reenter your username and password” endif

18. SQL injection  If Bob logged on with his credential, the SELECT statement would loook like: SELECT * FROM customer WHERE tblusername = ‘bob’ AND tblpassword = ‘password’  If Bob entered the following when prompted: ‘ OR 1=1 --  Then the SQL statement would be SELECT * FROM customer WHERE tblusername = ‘ ’ OR 1=1 – ‘ AND tblpassword = ‘ ’  Because 1=1 is true, the querry will be successful. Double hyphens (--) are used to represent a comment in SQL 18