Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 330 Introduction to Proactive System Security Philip Robbins – November 9, 2013 Hacking Web Servers and Applications Information Security & Assurance.

Published byFerdinand Harvey Modified over 9 years ago

Similar presentations

Presentation on theme: "ISA 330 Introduction to Proactive System Security Philip Robbins – November 9, 2013 Hacking Web Servers and Applications Information Security & Assurance."— Presentation transcript:

1 ISA 330 Introduction to Proactive System Security Philip Robbins – November 9, 2013 Hacking Web Servers and Applications Information Security & Assurance Program University of Hawai'i West Oahu Week #6 1

2 2 Hacking Web Servers and Applications Topics Web Applications Web Servers Review Q&A Quiz #5

3 3

4 4 What are Web Applications? Any application that uses a web browser as a client. – Convenient. – Method of distribution is popular. – Web Aps have a larger user base than standalone applications.

5 5 What are Web Applications?

6 6 What are Web Applications?

7 7 What are Web Applications?

8 8 Web Applications and Web Servers

9 9 Web Applications Static Web Pages – Created using HTML. – Same information provided regardless of time or user. Dynamic Web Pages – Information provided varies. – Special components used: forms, CGI, ASP, PHP, CF, JavaScript, database connectors.

10 10 Web Applications Static Web Pages v.s. Dynamic Web Pages

11 11 Web Application Components Web Forms

12 12 Web Application Components Web Forms

13 13 Web Application Components Web Forms – Uses element or tag in HTML document – Allows user to submit information to Web Server – Web servers process information from a form using a Web Application. – Gives attackers an easy way to intercept submitted data.

14 14 Web Application Components Common Gateway Interface (CGI) – Method used to generate dynamic content for web pages and applications. – Provides an interface between the content within databases and applications that generate / “serve up” web content. – CGI script could be in Perl, Java, Python, or any other programming language. – Placed in cgi-bin directory on the Web server.

15 15 Web Application Components Common Gateway Interface (CGI) – Web server software executes CGI Script – CGI script creates HTML page with dynamically obtained info Script Server

16 16 Web Application Components

17 17 Web Application Components Common Gateway Interface (CGI) Which programming language? Static or Dynamic Page?

18 18 Web Application Components Common Gateway Interface (CGI) Which programming language? Static or Dynamic Page?

19 19 Web Application Components Active Server Pages (ASP) – Microsoft’s first server side script engine for dynamically generated web pages. – Not a programming language. – Technology that allows creation of dynamic, interactive webpages using scripting languages like Jscript or VBScript. – Runs only on Windows platforms. – Web servers running IIS support ASP. – ASP.NET supersedes ASP and is supported by IIS 5.0+

20 20 Web Application Components Active Server Pages (ASP)

21 21 Web Application Components

22 22 Web Application Components Active Server Pages (ASP) Runs script and returns HTML

23 23 Web Application Components PHP: Hypertext Preprocessor (PHP) – Similar to ASP – Open source server side scripting language used to create dynamic web pages. – Embedded in HTML Web page using PHP tags: – Shouldn’t be able to view source code in Web browsers. – Originally used mainly on UNIX systems.

24 24 Web Application Components PHP: Hypertext Preprocessor (PHP)

25 25 Web Application Components ColdFusion – Another server-side scripting language for developing dynamic Web pages. – Uses proprietary tags. – Written in ColdFusion Markup Language (CFML) – Can contain other languages (e.g. HTML, JavaScript).

26 26 Web Application Components ColdFusion

27 27 Web Application Components VBScript – Active Scripting language. – Developed by Microsoft. – Modeled on Visual Basic. – Converts static web pages into dynamic web pages. – Lightweight programming language with powerful features.

28 28 Web Application Components VBScript

29 29 Web Application Components JavaScript – Popular scripting language for creating dynamic web pages. – Widely used. – Variety of vulnerabilities.

30 30 Web Application Components JavaScript

31 31 Web Application Components Internet Information Services (IIS)

32 32 Web Application Components Internet Information Services (IIS) – Formally named “Internet Information Server” – Internet Based Services installed on Web Servers running Microsoft Windows.

33 33

34 34 Web Application Components Apache Web Server

35 35 Web Application Components Apache Web Server – Another web server program. – Runs on twice as many web servers compared to IIS – Free – Works on any platform (*nix and Windows)

36 36 Connecting to Databases Open Database Connectivity (ODBC) – Programming language middleware API for accessing database management systems (DBMS). Object Linking and Embedding Database (OLE DB) – Allows applications to access data stored in a DBMS. – Designed by Microsoft to be faster, efficient, and more stable than ODBC. – Depending on the data source you’re connecting to you may use a different “provider”.

37 37 Connecting to Databases Object Linking and Embedding Database (OLE DB)

38 38 Connecting to Databases Object Linking and Embedding Database (OLE DB)

39 39

40 40 Web Application Vulnerabilities – Many platforms and programming languages can be used to design a Web site. – Important to Remember: Application security is just as important as network security!! Network-layer protection doesn’t prevent Application- layer attacks from occurring.

41 41 Web Application Vulnerabilities – Attackers controlling a Web site can: Deface the site. Destroy the company’s database. Steal information (PII) and sell it. Perform other (secondary) attacks. Gain root access to other application servers. Exploit Server-side scripting.

42 42 How are Web Sites Defaced? – Man-in-the-middle attack – Password brute force attack of admin accounts – DNS attack – FTP server intrusion – Mail server intrusion – Rerouting after firewall attack – SQL injection – URL poisoning – Web server extension intrusion – Remote service intrusion

43 43

44 44 Top Web Application Vulnerabilities – Cross-Site Scripting (XSS) flaws – Injection flaws and malicious file execution – Unsecured direct object reference (URL manipulation) – Cross-site request forgery (CSRF) – Information leakage and incorrect error handling – Broken authentication and session management – Unsecured cryptographic storage – Unsecured communications – Failure to restrict URL access

45 45 Web Application Threats Command injection flaws – Allow attackers to pass malicious code to different systems via a Web application

46 46 Web Application Threats Parameter/Form Tampering – Takes advantage of the fact that many programmers rely on hidden or fixed fields as the only security measure for certain operations. #1 #2 #3

47 47 Web Server Vulnerabilities Server Vulnerabilities Can be exploited by hackers using their browser address window; causing commands to be executed.

48 48 Web Server Vulnerabilities Canonicalization error in IIS 4.0 and 5.0 Enables an intruder to make use of a specific malformed URL in order to access files and folders located on the logical drive that includes Web folders.

49 49 Web Application Threats Cross-Site Scripting (XSS) Flaws – Injection of malicious code in an otherwise legitimate website. – The injected code is executed by unsuspecting users when they view the website, resulting in a potential breach of privacy, session hijacking, or drive-by- download of malware. – Attacker takes advantage of the trust you have in a websites security.

50 50 Web Application Threats Cross-Site Scripting (XSS) Flaws – Attacks occur in the browser and are platform independent. – Two categories: reflected (non-persistent) and stored (persistent).

51 51 Web Application Threats Cross-Site Scripting (XSS) Flaws

52 52 Web Application Threats Cross-Site Scripting (XSS) Flaws Payload is stored on the website

53 53 Web Application Threats Cookie/Session Poisoning – Cookies frequently transmit sensitive credentials. – Can be modified with relative ease in order to escalate access or assume another user’s identity. – Modify cost of purchases.

54 54 Web Application Threats Buffer / Stack Overflow – Execution stack of a Web application is damaged when a buffer overflows.

55 55 Web Application Threats Directory Traversal/Forceful Browsing – Attacker is able to browse for directories and files outside the normal application access.

56 56 Web Application Threats Attack Obfuscation – Attackers often work hard to mask or hide their attacks, and avoid detection by encoding their requests with methods such as URL encoding using Unicode.

57 57 Web Application Threats Platform Exploits – Web applications are built upon application platforms. – Platforms are well understood and have well-known vulnerabilities with associated exploits.

58 58 Web Application Threats Cryptographic Interception – Attackers attack sensitive handoff points where data is temporarily unprotected.

59 59 Web Application Threats Authentication Hijacking – Insecure credential and identity management can lead to account hijacking and theft of services. Log Tampering – Attacker, in an attempt to cover tracks, will usually delete logs, modify logs, change user information, and otherwise destroy all evidence of the attack. Error Message Interception – Error messages that contain site-specific information allow attackers to learn private application architectures.

60 60 Web Application Threats Network Access Attacks – Attacks using techniques such as spoofing, bridging, ACL attacks, and stack attacks, attempt to pass through intended access control and routing policies. TCP Fragmentation – Fragmenting an attack into multiple TCP packets allows attackers to slip by devices that inspect only the packets and not the entire session.

61 61

62 62 SQL – WTF is it? Structured Query Language (SQL) – Pronounced “sequel” – Newbs pronounce it “ess cue ell” – Programming Language – Manages data in databases – One of the most common vulnerabilities today!

63 63 SQL – WTF is it? Structured Query Language (SQL)

64 64 Web Application Threats SQL Injection – Uses command sequences from SQL statements to control database data directly.

65 65 Web Application Threats SQL Injection – Login Bypass

66 66 Web Application Threats SQL Injection Login Bypass The power of: ‘ Closes the string parameter. Therefore anything after it is considered part of the SQL command. Comments: /* */ -- Because anything after the -- will be ignored, the injection will work even without any specific injection into the password field.

67 67 Web Application Threats SQL Injection – Disruption I don’t care about the data; I just want to bring the application down.

68 68 Protecting our Web Applications & Servers

69 69 Assessing our Web Applications & Servers Look for answers to some important questions: – Does the Web application use dynamic Web pages? – Does the Web application connect to a back-end database server? – Does the Web application require authentication of the user? – On what platform was the Web application developed? – Follow the flow of information: Is encryption (SSL) being used?

70 70 Protecting our Web Servers Patches, Hotfixes, Patch Management Vulnerability scanners Online Vulnerability Search Engine (NVD) Implement Authentication Methods Application + Network Protection Utilize IDS / IPS, VLAN’s, & DMZ’s Logging

71 71 Protecting our Web Applications & Servers Capturing and maintaining system log files is an important part of Web server administration. Rules for IIS Logging – Configure the IIS logs to record every available field – Capture events with a proper time stamp – Ensure continuity in the logs – Ensure that logs are not modified in any way after they have been originally recorded – Log Backups / Storage location

72 72 Protecting our Web Applications & Servers – Use of Firewalls – Administrator Account Renaming – Disabling Default Web Sites – Removal of Unused Application Mappings – Disabling Directory Browsing – Legal Notices – Checking for Malicious Input in Forms and Query Strings – Disabling Remote Administration – Web Server Security Checklists / SOP’s – Database Table Honeypots & SQL Whitelists

73 73 Review Questions Question #1 The following code is an example of what language? <% Dim strLastname, strFirstname strLastname = Request.Form(“Last”) strFirstname = Request.Form(“First”) %> a.PHP b.HTML c.ASP d.JScript

74 74 Review Questions Question #1 The following code is an example of what language? <% Dim strLastname, strFirstname strLastname = Request.Form(“Last”) strFirstname = Request.Form(“First”) %> a.PHP b.HTML c.ASP d.JScript

75 75 Review Questions Question #2 Which of the following can be used to create dynamic Web pages? (Choose all that apply.) a.ColdFusion b.PHP c.ASP d.MySQL

76 76 Review Questions Question #2 Which of the following can be used to create dynamic Web pages? (Choose all that apply.) a.ColdFusion b.PHP c.ASP d.MySQL

77 77 Review Questions Question #3 Which of the following can be used to connect a Web server to a back-end database server? a.ODBC b.OLE DB c.ADO d.HTML

78 78 Review Questions Question #3 Which of the following can be used to connect a Web server to a back-end database server? a.ODBC b.OLE DB c.ADO d.HTML

79 79 Review Questions Question #4 Entering the value ‘ OR 1=1 in a Web application that has “Enter Your PIN” as a field is most likely an example of which attack? a.SQL injection b.Code injection c.Buffer overflow d.Ethernet flaw

80 80 Review Questions Question #4 Entering the value ‘ OR 1=1 in a Web application that has “Enter Your PIN” as a field is most likely an example of which attack? a.SQL injection b.Code injection c.Buffer overflow d.Ethernet flaw

81 81 Review Questions Question #5 Entering the URL http://www.abc.com/%55/%55/%55/%55/%55 in a Web browser is an example of what exploit? a.Buffer overflow b.Unicode exploit c.Worm injection d.SQL injection

82 82 Review Questions Question #5 Entering the URL http://www.abc.com/%55/%55/%55/%55/%55 in a Web browser is an example of what exploit? a.Buffer overflow b.Unicode exploit c.Worm injection d.SQL injection

83 83 Review Questions Question #6 The AccessFileName directive in Apache, along with a configuration file (such as.htaccess), can be used to perform which of the following on a Web site? a.Run malicious code in the browser. b.Protect against XSS worms. c.Restrict directory access to those who authorized user credentials. d.Scan for CGI vulnerabilities.

84 84 Review Questions Question #6 The AccessFileName directive in Apache, along with a configuration file (such as.htaccess), can be used to perform which of the following on a Web site? a.Run malicious code in the browser. b.Protect against XSS worms. c.Restrict directory access to those who authorized user credentials. d.Scan for CGI vulnerabilities.

85 85 Review Questions Question #7 Which of the following is an open-source technology for creating dynamic HTML Web pages? a.ASP b.PHP c.Java d.Oracle

86 86 Review Questions Question #7 Which of the following is an open-source technology for creating dynamic HTML Web pages? a.ASP b.PHP c.Java d.Oracle

87 87 Review Questions Question #8 CGI is used in Microsoft ASP Pages. a.TRUE b.FALSE

88 88 Review Questions Question #8 CGI is used in Microsoft ASP Pages. a.TRUE b.FALSE

89 89 Review Questions Question #9 Which of the following is used to connect an ASP Web page to an Oracle database? a.ADO b.HTML c.CGA d.OLE DB

90 90 Review Questions Question #9 Which of the following is used to connect an ASP Web page to an Oracle database? a.ADO b.HTML c.CGA d.OLE DB

91 91 Review Questions Question #10 What tags identify ColdFusion as the scripting language? a. b. c.The letters CF d.

92 92 Review Questions Question #10 What tags identify ColdFusion as the scripting language? a. b. c.The letters CF d.

93 93 Review Questions Question #11 An HTML Web page containing ASP code must be compiled before running. a.TRUE b.FALSE

94 94 Review Questions Question #11 An HTML Web page containing ASP code must be compiled before running. a.TRUE b.FALSE

95 95 Review Questions Question #12 (last one) IIS is used on more than twice as many Web servers as Apache Web Server. a.TRUE b.FALSE

96 96 Review Questions Question #12 (last one) IIS is used on more than twice as many Web servers as Apache Web Server. a.TRUE b.FALSE

97 97 Questions? probbins@hawaii.edu www2.hawaii.edu/~probbins https://www.dorkatron.com/docs/ISA330/

Download ppt "ISA 330 Introduction to Proactive System Security Philip Robbins – November 9, 2013 Hacking Web Servers and Applications Information Security & Assurance."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Lecture plan Information retrieval (from week 11)

Lecture plan Information retrieval (from week 11)
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Web Databases CS263 Lecture 13. 2 The Internet environment Following Fig. Shows the basic environment needed to set up both Intranet and Internet database-enabled.

Web Databases CS263 Lecture The Internet environment Following Fig. Shows the basic environment needed to set up both Intranet and Internet database-enabled.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Introduction to Web Database Processing

Introduction to Web Database Processing
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…

Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google