14 Web threats
Hiteishi Diwanji
Client Level Threats:
- 1) Cross site scripting attacks
- 2) Unpatched Web clients
1) Cross –Site Scripting Attacks: Attacker needs to
- Inject HTML data into Web content
- Trick the user into visiting the XSS vulnerable website
- Cause the injected HTML data to execute on that user’s browser
Open Notepad, type following and store in server directory as test.jsp.
<html>
<body>
Hello
<%
out.println(“welcome”+request.getParameter(“name”) );
%>
Ahmedabad
</body>
</html>
Try the following – http://localhost:8080/css/test.jsp?name=LDCE
Observation:
- 1) http://localhost:8080/css/test.jsp?name=LDCE
- 2) http://localhost:8080/css/test.jsp?name=<script>alert(“hello”)</script> In the second case script code gets executed.
Countermeasures at Web application level:
Educate developers
Sanitize and validate all inputs that could potentially be used as part of dynamically generated Web responses.
- Encode URL
- URL encoding is normally performed to convert data passed via html forms, because such data may contain special character, such as “/”, “.”, “#”, and so on, which could either:
- a) have special meanings;
- or b) is not a valid character for an URL;
- or c) could be altered during transfer.
- the “#” character has a special meaning so needs to be encoded.
- The <space> character also needs to be encoded because is not allowed on a valid URL format.
- Some characters, such as “~” might not transport properly across the internet.
Example
- URL Encoding is visible when dealing with <form>s.
- Form methods (GET and POST) perform URL Encoding implicitly.
- Websites uses GET and POST methods to pass parameters between html pages.
- <input type=”text” name=”var” size=”50″ value=”This is a simple & short test.”>
- <form method=”GET” action=”example.html”>
- <input type=”submit”>
- </form>
- This sample <form> sends the data in the text field using the GET method, which means that the data will be appended as query string.
- If the button is clicked and the resulting URL in the browser address bar, automatically encoded by the browser:
- http://www.permadi.com/tutorial/urlEncoding/example.html?var=This+is+a +simple+%26+short+test.
- The <space> character has been URL encoded as “+”.
- The & character has been URL encoded as “%26”.
HTML Encoding:
HTML code
<html>
<body>
Hello
</body>
</html>
Encoded HTML
<html>
<body>
Hello
</body>
</html>
- When text is encoded , HTML code is not protected , that would make code difficult to understand who attempt to view them while passing.
Use innerText property:
- Use innerText property instead of innerHTML.
- innerText property renders content safe and unexecutable.
- innerHTML is used to to programmatically modify the contents within the opening and closing tags of an HTML server control and InnerText property automatically encodes special characters to and from HTML entities.
for eg. “<b>My Text</b>” starting (<) and closing tag (>) will not be recognized by browser if innerHTML is used but in case of innerText it will be encoded < > respectively and then decoded by browser later on at the time of display.
Client level countermeasures against XSS:
- Educate UsersEducate for threat of XSS. View web content only from sources they trust.
- Implement browser security Disable the use of JavaScript or Active scripting for untrusted zones such as
2) Unpatched Web Browser Attacks:
- Attackers could modify Web responses with man-in-the middle attack.
- Attackers lure users to URLs where they can exploit weaknesses in things like ActiveX controls.
- Patching desktop software like web browsers should meet security requirements.
- Check whether automatically patched or should manually patched.
Server level Threats:
- Web servers are much easier to reach than other servers.
- The targets are numerous – more web servers than databases and remote access servers.
- Web servers are often easier to attack.- can be accessed without authentication.
- Attacker seek notoriety
- Compromising websites creates public embarrassment and financial loss. – disgruntled ex-employees do this so the company has financial losses.
Common web server threats
1) Repudiation
2) Information disclosure
3) Elevation of privileges
4) Denial of service
1) Repudiation:
- If web server gets compromised or attacked by a denial of service(DoS), It is necessary to determine how the attacker intruded.Solution is…Log all the activities.How can you check logging is enabledRepudiation Property page for Default web site. Run->inetmgr, check web server properties.
To verify that logging is enabled for a browser check the following….
- Access your organization’s web site and request a resource. The resource doesn’t have to be valid, but should be unique so that log can be examined later on. For example, http://Testsite/TestHome/IAmTestingToSeeLoggingIsEnabled.html
- Check for the log file. Search for files with .log extension. Open Web server’s log file to make sure that the request for IAmTestingToSeeLoggingIsEnabled.html was recorded.
2 ) Information Disclosure:
- Server header exposure
- Directory browsing
Server Header Exposure
telnet www.ldce.edu 80
HEAD /HTTP/1.0
Directory Browsing
When no default document such as Default.htm is found, this feature allows visiting users to view a server generated list of the contents on a website or in a virtual directory.
So server is saying..
I could not find the document choose from the list.
Run -> inetmgr,Default web site->right click properties, go to home directory tab-> directory browsing
This has potential to be abused why…
- If organization stored on website or in virtual directory sensitive files such as user names and password, directory browsing would give attackers immediate access to these files.
- Even if the file name is difficult to guess, like
NHccbxAIA1PLAR0_uMmPZV7c.txt, directory browsing could be used to access it.
Countermeasure(Directory Browsing) Open IIS manager
- Open the properties page of the website or directory you want to disable directory browsing on.
- On Directory tab,verify that Directory Browsing is not selected,and then click to apply the settings Verify that directory browsing is disabled.
- Using a web browser,load the web site or virtual directory just protected. Directory browsing of the TestHome directory was disabled, so navigate to http://TestSite/TestHome directory.
- Examine the response from server.
- If directory browsing is correctly disabled, either a message is displayed saying directory browsing is not allowed or you get other error message.
3) Elevation of Privileges:Common Sources
- Unpatched Web servers – Web servers are installed in hostile environments, web servers need to be sufficiently patched.Countermeasures 1.
- Use devices such as application firewalls, network firewalls or intrusion prevention systems to sanitize malicious network traffic or block it from reaching those web servers………….not enough because web servers are still vulnerable until those missing patches are applied. Attacker is able to find another route to your organization’s web servers or cause one of these protective devices to fail, web servers can be easily picked up. Countermeasures 2.
- Apply the missing patches.
- For IIS, use automated tools like Microsoft Baseline Security Analyzer(MBSA) Verify that those patches are properly installed
Manual Verification
- Review the list of patches installed on a system.
In Windows OS, click control panel,Add or remove Programs, and change or Remove programs and then review the list of installed patches under the currently installed program section.
- Review the file versions of the affected files addressed by the patch.
File version information about fixed DLL file was included in the bulletin so customers can verify that installed file Fp4awel.dll version 4.0.2.7802
Verification with automated security assessment tools
- Use tools such as MBSA or Nessus
- Rescan your server to make sure that no vulnerabilities are introduced or miss any patch you weren’t aware of.
Verification with exploit code
- To get defenses against the attacker, Use same tools and techniques that attacker is using.
- For patch verification thoroughly test the exploit code against test machine in isolated environment
- Unknown vulnerabilities
- Zero day vulnerabilities
Unknown vulnerabilities or vulnerabilities not publicly disclosed.
- Buffer Overrun Stack and heap…hold more data than their buffers. 11 bytes and copy Hello World Now copy Welcome to planet Earth… What would happen?
- Buffer would store more 12 characters than it can store.
- What does buffer overrun do?
- DOS condition, making page unavailable for a period of time.(Either server recovers by itself or the administrator has to restart it)
- The attacker inject arbitrary code onto your web server and potentially gain further access to your organization.
Countermeasures:
- Disable unused services
- Validate input – validate type and length on all data.
- Use application filters – such as URLScan, or use application firewalls to limit the size of HTTP requests sent by user.
- Run URLScan – goto URLScan.ini
Check
- MaxURL- default 260 bytes. Check http://TestSite/[Ax800]
- MaxQueryString – default 2048 bytes. Check http://TestSite/index.html?foo=[Ax3000]
- Max-header prefix-restrict to 10 bytes Telnet www.ldce.edu 80 HEAD /HTTP/1.0 CustomHeader:[Ax30]
- MaxAllowedContentLength -default 30000000. Set it to 500.
Telnet www.ldce.edu 80 HEAD /HTTP/1.0 Content-Length:[Ax90000]
- Nonessential services
- Best defense – Reduce the number of available services attackers can leverage.
- Organization needs only static HTML – Don’t allow ASP or PHP.
- Two types of services can be exploited.
- Operating system – To know the services running on your web serversc.exe \\<servername> queryex | findstr “SERVICE_NAME”
TRY:sc.exe \\localhost queryex
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE
: 110 WIN32_OWN_PROCESS
(interactive)
STATE
: 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1620
FLAGS :
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE,
ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 2808
FLAGS :
TRY:sc.exe \\localhost queryex|findstr “wudfsvc“
SERVICE_NAME: wudfsvc
Countermeasures:
- Service that is not required should be disabled.
- Disable services by going to services tab in control panel.
- Or use command
sc.exe \\<servername> stop
<servicename>
sc.exe \\www.ldce.edu stop messenger
To disable that service from automatically starting when the operating system boots up, run
Sc.exe \\<servername> config <service-name>start=disabled
Sc.exe \\www.ldce.edu config Messenger start= disabled
- Web server services – Inspect web server’s configuration file
Countermeasures:
- Open the IIS manager.
- View the Web service Extension folder
- Prohibit extension not required -allow aasp not .ashx
- Open IIS manager
- Open properties page of website you are protecting.
- Open Home Directory tab
- On Application Configuration page, click remove for any application extensions mappings your organization does not require.
- Canonicalization attacks
- http://TestSite/cmd%252eexe is equivalent to
- http://TestSite/cmd.exe
- %252e double decodes to .
- If security is on noncanonicalized forms of input data attackers might be able to bypass some security feature.
Service Level Threats:
- What is SOAP?
- Unauthorized Access
- Network Sniffing
- Tampering Information disclosure
you can view video on Web threats |
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org