Audit code! The correct line was this: if (id < 0 || id >= channels_alloc) Input Validation Attacks Ways to sneak malicious input past input validation Canonicalization Attacks Canonicalization is converting input into its standard form, or canonical form Example: the backslash character \ \ in ASCII %2f in hexadecimal %2f or %c0%af in Unicode URL Directory Traversal http://10.1.1.3/scripts/../../../../winnt/system32/cmd.exe?/c+dir This one might be allowed http://10.1.1.3/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir Other Canonical-Form Exploits There are many others, here are some examples Normalize Before Validation Canonicalization attacks work because code is scanned for illegal characters before it is converted to canonical form Canonicalization Countermeasures This script will prevent some canonicalization attacks against ASP.NET applications
URLScan Prevents malicious URLs from reaching an IIS Web server Built into IIS 6 and later versions
Web Application and Database Attacks SQL Injection and many more Coming up in the next chapter Common Countermeasures People: Changing the Culture Process: Security in the Development Lifecycle (SDL) Threat Modeling Code Audits, both manual and automated Tools
Security Testing Fuzzing Generating random and crafted input to test software This is how David Maynor 0wned the Mac via Wi-Fi (link Ch 11m) Pen Testing Experienced attackers testing application Audit or Final Security Review Check products before shipping Maintenance Reports of vulnerabilities Patches and hotfixes
Last modified 4-24-09
Web Server Hacking
Popular Web Servers Microsoft IIS/ASP/ASP.NET LAMP (Linux/Apache/MySQL/PHP) BEA WebLogic Link Ch 12j IBM WebSphere Link Ch 12k Popularity Links Ch 12l, 12m An attacker with the right set of tools and ready-made exploits can bring down a vulnerable web server in minutes Some of the most devastating Internet worms have historically exploited these kinds of vulnerabilities Code Red and Nimda attacked IIS vulnerabilities Why the Risk is Decreasing The risk of such attacks is decreasing, because: Newer versions of Web servers are less vulnerable System administrators are better at configuring the platforms Patches come out more rapidly Countermeasures are available, such as: Sanctum/Watchfire's AppShield A Web application firewall (link Ch_12n) Microsoft's URLScan Built in to IIS 6 and IIS 7 Link Ch_12o Automated vulnerability-scanning products and tools are available
Web Server Vulnerabilities
Sample files Source code disclosure Canonicalization Input validation (for example, buffer overflows) Sample files Sample scripts and code snippets to illustrate creative use of a platform In Microsoft's IIS 4.0 Sample code was installed by default showcode. asp and codebrews.asp These files enabled an attacker to view almost any file on the server like this: http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?source=/../.. /../../../boot.ini http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?source= /../../../../../winnt/repair/setup.log Sample Files Countermeasure Remove sample files from production webservers If you need the sample files, you can get patches to improve them ColdFusion Expression Evaluator patch Link Ch 12p IIS 4 and 5 could reveal portions of source code through the HTR vulnerability (link Ch 12q) Apache Tomcat and BEA WebLogic had similar issues Attack URLs: http://www.iisvictim.example/global.asa+.htr http://www.weblogicserver.example/index.js%70 http://www.tomcatserver.example/examples/jsp/num/
numguess.js%70 Source Code Disclosure Countermeasures Apply patches (these vulnerabilities were patched long ago) Remove unneeded sample files Never put sensitive data in source code of files You can never be sure source code is hidden Canonicalization Attacks There are many ways to refer to the same file C:\text.txt ..\text.txt \\computer\C$\text.txt The process of resolving a resource to a standard (canonical) name is called canonicalization ASP::$DATA Vulnerability Affected IIS 4 and earlier versions Just adding ::DATA to the end of an ASP page's URL revealed the source code http://xyz/myasp.asp::$DATA Link Ch 12r
Share with your friends: |