CEH: Web Applications and Data Servers: Examine IIS Webserver Architecture IIS is easy to configure and setup, but harder to secure. It allows for several bad security practices including being installed on hosts that aren’t supposed to be web servers and for those that are, the inclusion of extensions such as ISAPIs (Internet Server Application Programming Interface) that have vulnerabilities.
Most of the time if the web application itself is written with secure coding procedures then many of these hazards can be avoided.
CEH: Web Applications and Data Servers: Learn regarding HTTP Response Splitting Attack An HTTP header isn’t normally seen by the viewer of an HTML document, but the browser processes this data to help it understand what to do on the client side of the application, and well as sending data to communicate with the server side for the next request. If viewed in text form, what separates the headers in any exchange is CRLF (Carriage Return Line Feed). If the attacker can manipulate remove these separations then they can make arbitrary requests.
CEH: Web Applications and Data Servers: Understand Web Cache Poisoning Attack Cache is essentially a memory space. A person can collect a list of things to do for the day and keep it in cache, then forget the items either as they are completed or a time expires. The problem with any network protocol that is trusting is that the cache can be populated with advertised information that was not asked for.
Cache poinsoning can happen with ARP (Address Resolution Protocol) on up to DNS (Domain Name Service) to direct traffic to the attacker’s will. At the Application layer even the browser can be fooled into thinking an address is something other than what it is.
CEH: Web Applications and Data Servers: Understand HTTP Response Hijacking Similar to the “Session Fixation” attack as described before. In this case, a MiTM (Man it the Middle) attack such as an Arp poisoning or a modifying of a controlled hosts browswer setting is directing traffic to a proxy server such as “Paros”, and the HTTP response traffic is altered on the fly.
CEH: Web Applications and Data Servers: Discuss SSH Bruteforce Attack Any “Brute Force” attack is essentially a wider scale automated guessing attack. No matter how string the encryption technology is, is a weak password generates the key material the a side channel attack like password guessing is possible.
CEH: Web Applications and Data Servers: Understand Webserver Attack Methodology Every system has layers. If the server can be physically reached it is owned. Then you have the Operating system and any services that can be accessed, the individual applications on each service might be vulnerable to some access as well.
As protection is designed in layers so is the attack.
CEH: Web Applications and Data Servers: Understand Webserver Pen Testing Know the Attacks and Risks of Web Applications
Banner Grabbing
Banner grabbing is conducted during the information discovery phase of the attack. It is for the purpose of determining the Web server and operating system versions.
Another important resource is http://www.netcraft.com. This service tracks version, OS, and uptime of Internet accessible websites.
Denial of Service (DoS)
If all of the other attacks fail, or if the objective in the first place is simply to embarrass the owner of the website or perform an extortion attack, a DoS or Distributed DoS is a possibility.
There are also attacks against unpatched Web servers that exploit both problems with modules provided by the HTTP service and issues with the underlying OS. A common occurrence is the Sasser worm which exploits a weakness in the Windows LSA (Local Security Authority) and renders the host inaccessible.
Administrators must always remember to disable unnecessary extensions. In the IIS server, these are called ISAPIs (Internet Server Application Programming Interfaces). The IIS Lockdown tool available from Microsoft can assist with selecting the correct modules to leave enabled based upon the role of the server.
Password Guessing
Unless the front door of the Web application is protected with a “try limit” there is nothing stopping attackers from spending all day guessing at password accounts. In some cases it is possible to get lucky and find a random person’s account. If the attackers have performed thorough reconnaissance, they can make educated guesses and figure out the answers to cognitive questions that might reset or reveal the actual password.
Tools such as Brutus or Hydra can automate the guessing process. Looking at the source code of the page, determine the names of the fields associated with the login form. For example:
=“text” name=“uname”/>
=“text” name=“passwd”/>
In this case, the uname and passwd fields are of interest. A dictionary file with pairs of words can be thrown at this form automatically. The file should include obvious words like “test,” “guest,” “practice,” and so on. With some dumpster diving or other means of collecting information, a company directory can be used to put together likely usernames. Then a dictionary list of common passwords can be used to audit the weak logins.
Abusing the Robots.txt File
All files on a site are organized into folders under its root directory. Robots (spiders) from search engines crawl the directories of a website looking for pages to catalog into the search engine.
Some files such as scripts should be stored in a directory that is inaccessible to the Web user login and instead is only accessible by the Web service that needs to call the library files from other active pages. Other directories might contain documentation or sample code that is not meant for public viewing.
The robots.txt file is supposed to tell a robot what it can and cannot index. It is placed at the root of the website. It also tells attackers where the good stuff is. Consider the following example robots.txt file:
User-agent: *
Disallow:/cgi-bin/
Disallow:/docs/
The first line says this file applies to all forms of robots. The other lines tell them what they cannot index. The problem with this is clear—it is up to the robot to be courteous enough to obey the directives.
Offline Browsing
Sometimes it is more efficient to download as much of the website as possible first, and then search through it offline for information such as keywords, e-mail addresses, names, and so on.
Tools such as “wget” and “black widow” are ideal for this activity. Also do not forget about archive.org and “The Wayback Machine,” which archive old versions of sites.
Hidden Form Fields
Whether you are offline browsing or looking at the source code of a recent page, finding hidden form fields is sometimes great. They do not display in the browser window, but the value attribute can carry important data with the form submission back to the server.
In the early days, hidden form fields included prices! The attack simply modified the source code and submitted the page. Presently, hidden form elements might contain password hashes, retry counters, or other significant items. Consider the following example:
Capturing the token using a proxy such as “Paros” would allow attackers to substitute this token with one generated from their own browser, and take over the login session of the other user.
Directory Traversal
One of the other functions of a Web server is to keep the anonymous user account confined to the file system of the website itself. In other words, the root of the website files is the root of what the user can see on the system. In navigating directories, the “../” characters mean “navigate to the parent” directory. On some systems it is possible to navigate to several parents and then drill down into the file system. For example:
Starting in the root folder on example.dom, move into the scripts folder (to pick up execute permissions), then come up three parent levels (which might place the attacker at the root of the drive), then drill down to where the cmd.exe utility is and invoke it. The query string passes a command to that shell, and since the result is a character stream, HTTP will return it to the attacker’s browser. On a vulnerable host, a directory listing would be displayed.
This vulnerability potentially exists on both Windows and Linux systems. Filters are available to detect the “../” characters in the URL; however, there are two problems. First, if the programmer of the website decided to use relative links between pages, then the dot dot slashes will appear in the requests intentionally, and the filter will break the website. Second, there are many ways to hide the characters with encoding techniques. Consider the following examples:
%2E%2E%2F
%2E%2E/
%2E.%2F
%%32E%%32E%%32F
These are all equivalent strings once the URL encoding has been parsed, The final example is double encoded. The point is to see that there are thousands of ways to represent a directory traversal attempt. Scanners such as “n-stealth” have tens of thousands of traversal and xss attempts that can be sent to test a Web server for vulnerabilities.
URL Obfuscation
In addition to URL encoding techniques, there are different ways to represent the address of the Web server. This technique is commonly used in spam messages to convince the victim the link is safe. Consider the following examples:
http://eccouncil.org
http://superbank@eccouncil.org
http://64.147.96.106
http://0x40936606A
http://1083400298
http://superbank@1083400298
These are all equivalent addresses. For the CEHv6 exam, it is important that you can use a normal (not a scientific) calculator to perform the conversions. To convert a dotted quad IP address to its decimal form using the previous example, the formula would be worked out as follows:
Also referred to as a SSLMiTM attack, this attack begins as a social engineering exercise where a victim is convinced to accept a fake certificate. The website is often a spoofed site designed to masquerade as a common business, as an intranet page, or as a place the victim would be familiar with.
The browser will warn users that the certificate chain cannot be validated, but most users in this situation are not familiar with the idea. If the e-mail they were sent with the link was convincing enough, the victim will be focused on the urgency of visiting the site and will dismiss the warning as being a browse error. The padlock closes, the SSL connection is established, and users are certain they can trust the site with their passwords.
Once the attack is completed, users might be sent to the legitimate site in order to keep the appearance of the scenario intact.
Cookie Stealing
Cookies are small pieces of data stored on the client side (presentation layer) of a Web application. They can then be read back from subsequent pages loaded from the same domain. Netscape invented the cookie object in order to store authentication tokens, customization settings, and dates and times that would allow Webmasters to track usage patterns.
There are some constraints to using cookies. The original specification set out the following rules:
Only the domain that set the cookie could read it.
Browsers will only store cookies from 20 unique domains.
Browsers will only store 200 cookies total.
These constraints were meant to protect clients from having their entire hard drive consumed by cookies. The data are stored in different ways according to the browser design, and they are not always encrypted.
Cookie stealing can be accomplished in the following ways:
Physical access to a system might allow an attacker to simply copy cookies out to a file and walk away.
Using a sniffer or proxy server, unencrypted cookies can be eavesdropped on and then substituted on the next page request.
Companies can triangulate cookie tokens on the back end of an application.
Let’s examine the latter possibility. If “techsite.com” sets a cookie on a visitor’s system that contains a unique token, it can then share that token with an affiliate site such as an advertising partner. The advertisement itself will be downloaded from the domain of the advertisers, who then correlate the token they were given by “techsite.com” and write it into a cookie from their domain. From here, all activity can be tracked, and every link the visitor clicks builds up a database of preferences from which future ads can be targeted. This includes other websites that the ad agency partners with since they could always share the token with them as well.
There are many scripts and examples of using the document.cookie object in JavaScript. The aforementioned http://www.w3schools.com has some excellent tutorials on the topic.
Session IDs are strings of random characters that are associated with a visitor’s present visit to a website. They can be set and stored in a cookie, transferred in the HTTP header, or even placed in the URL.
Session sidejacking is another name for the process of sniffing this session ID string from a legitimate user. Attackers then start a session with the same website and replace their own ID token with the one captured from the victim’s session. Packet sniffers and proxy servers make this a fairly easy attack if measures are not taken to enhance the token with additional characteristics or to protect it within an encrypted tunnel.
XSS (Cross Site Scripting)
This attack was originally called a CSS attack, and on the CEHv6 exam that term might still be used. Since CSS stands for Cascading Style Sheets, the name of this attack was changed to XSS. Sometimes it is referred to as JavaScript injection.
Many actual XSS vulnerabilities are more complex than the following example, but the basic idea can illustrate the concept well enough. When an HTML form allows a visitor to submit special characters that are not “cleansed” or filtered, it is possible to interact with the code on the logic layer from the HTML form on the client side.
In the case of XSS attacks, the string of characters entered into the HTML form make it all the way through processing and back to the client side with no alteration at all. The client then executes it as presentation script.
Consider the following example: An HTML form is asking for a visitor’s first name. In the field she puts:
Then she submits the form only to find that on the resulting page an alert box indeed pops up and says “FUBAR!” She notices in the url that there is a name value pair that includes the string:
http://www.example.dom/page.xyz?first_name=
She then examines the source code and notices that the injected script looks like something the client would try to execute rather than treat as a simple string of characters. She enters a different parameter into the browser address bar such as:
FirstName=
Then she resubmits the page and is quite surprised by what she sees. The location property of the window object of the browser has changed, resulting in a redirect.
The final step would be to find a vulnerable site and inject a similar redirect attack. The URL can be obfuscated using encoding methods to hide the intent of the link. Send this link in a phishing e-mail and those who click on the link will have unfortunate results waiting for them. Other than not clicking, there is little the victim can do to stop this.
CEH: Web Applications and Data Servers: Learn SQL Injection Methodology
Start by entering disruptive characters like a single tick into a form or through parameter manipulation as is HTTP headers or changing cookies that are not encrypted. Other characters might work but the point is to first cause an error then utilize SQL skills from there. The attack is all about character injection into a request.
CEH: Web Applications and Data Servers: Understand Evasion Techniques for SQL Injection
Filters cannot look for every combination of blah’ or 1 = 1 -- and any other statement that returns true but application layer filters can look for SQL commands that are not appropriate on that segment of the network.
SQL injection works from similar principles as XSS attacks, but involves SQL (Structured Query Language) being passed to the database layer of the Web application rather than round tripping back to the client. Once an SQL injection vulnerability is found, the only limitation to attackers is their skill with SQL queries. Attackers can sit there at the browser and submit SQL statement after statement until the entire backend is mapped, altered, viewed, and controlled.
On an HTML form, the attack tries something along the lines of a single tick character (single quote). If a 500 series error results from the HTTP server, indicating the logic layer script could not do its job, then there is a possible vulnerability. Next attackers try a string such as:
Blah’ or 1 = 1 - -
The “blah” does not matter; it could be anything. The tick disrupts the code on the logic layer and the characters that follow are evaluated rather than simply passed through. The two hyphens cause the rest of the logic layer statement to be commented out and therefore ignored.
Consider the following line of code (it is all meant to be one line):
Set rst=Conn.Execute(“select * from userinfo where username = ‘” & Request.Form(“username”) & Request.Form(“password”) & “ ‘ “)
There are two languages present in this code. One is Active Server Pages and the other is SQL. They are separated by nested quotes (alternating between single and double) so the server side interpreter can make sense out of each statement starting at the innermost nested statements first.
Once the tick and the hyphens are injected into the code by the evaluation of the statement Request.Form (”username”), the characters that follow have a completely different nature to them.
Set rst=Conn.Execute(“select * from userinfo where username = ‘” & blah‘ or 1 = 1 –
The return of this command will be a “true.” The rest of the script is an if/else construct that says “If true then it is all good” else go to the failed login page. This exploit will result in a successful login. Once the vulnerability is discovered, nearly any SQL statement can be inserted instead.
CEH: Web Applications and Data Servers: Gain insights on Web Application Pen Testing
Web application testing often results in a “blind attack” meaning that the results of each attempt is not obvious and apparent. A thorough understanding of several protocols and languages such as HTTP, HTML, Javascript, CSS and SQL are a good start. Sometimes what appears to be a failed attempt, isn’t.
CEH: Web Applications and Data Servers: Identify Server Side Technologies
Know How Web Applications Work
Presentation Layer
The presentation layer is the code that gets processed in the visitor’s browser. The role of the browser in a Web application is to resolve DNS addresses, make HTTP requests, receive the page and all resources that are referenced within the page, and, through a variety of rendering engines and plug-ins (also called BHOs or Browsers Helper Objects), render the content visually.
There are primarily three languages involved. Combined together they are sometimes called “DHTML” (Dynamic Hypertext Markup Language):
HTML
HyperText Markup Language provides a way to describe the structure of a page. It marks elements as being headers, paragraphs, and references to other resources. These elements which do not necessarily all look a certain way, but these marks are functional to the document as a whole.
CSS
Cascading Style Sheets (CSS) handle the look and feel of a Web page. Browsers have a built-in default style sheet that can be used to display marked-up page objects. The designer can also provide a style sheet of his own to define elements in accordance with a layered (cascading) set of style guide rules.
The flexibility of this design allows the same page content to be usable in a variety of browser clients. Marketing and business pressures often result in poor designs that override this flexibility in order to force a graphic and color scheme onto the visitor. This was not the original intent. Section 508 (http://www.section508.gov/) described accessibility standards for Web pages. The basic idea is that content should be accessible if users specify their own style sheet and the scripting functions of a page are disabled.
Javascript
A scripting language provides interactive elements to the document and can access the objects modeled by the HTML markup as well as objects that are built into the browser.
This is one of the ways various browsers have attempted to compete with each other over the years, much to the frustration of developers who must often write their pages to work in several different ways so as not to alienate their customers.
In recent years, a technology called “AJAX” (Asynchronous Javascript and XML) has completely transformed the client experience. Rich applications such as Google office and greatly enhanced multimedia have changed the way we work on the Web. The advertising world has also been revolutionized by this technology—targeted ads now become a part of the Web page and can react to how the visitor uses the website.
AJAX is a suite of protocols that uses the XMLHTTPRequest API (Application Programing Interface) to send HTTP requests and pass the results directly to the scripting object in the page on the client side. This enables continuous conversation between the client and server.
While HTML parsing engines were forgiving of sloppy code, the sophisticated nature of AJAX requires unambiguous object models created by the markup of page elements. XML (eXtensible Markup Language) provides the specification for well-formed markup along with the ability to create an entirely new vocabulary for describing objects. CSS is still used to define the visual properties of the page elements.
Although the programming of AJAX websites is much more involved than standard DHTML, many of the same threats still exist if the application is not coded properly. AJAX allows for server side validation of form data, which is a huge improvement as it prevents the controls from being altered on the client side, but XSS and SQL injection attacks are still possible.
Manipulation of client side code can be as simple as saving the sourced code of the page, opeining it in a text editor, saving it opening the page back into the browser. Javascript that was meant to validate the form can be removed and parameters written to cookies can be altered this way, even if the cookie is encrypted as it is stored on the hard drive.