Web Server Attacks PDF

Summary

This document provides an overview of various web server attacks. It covers topics such as different attack types, their impact, and preventative measures. The document also includes discussion of security issues like DNS attacks and server misconfiguration.

Full Transcript

Web Server Attacks
==================

Discuss Various Web Server Attacks
----------------------------------

### Web Server Operations

A **web server** is a computer system that [stores],
[processes], and [delivers web pages] to clients
via HTTP.

### Web Server Components

**Document Root**: Stores [critical HTML files] for a
domain\'s web pages

**Server Root**: Stores [server's configurations], [error
files], [executables] (исполняемые файлы), and
[logs]

**Virtual Document Tree**: Provides [storage on a different machine or
disk] after the original disk is filled up

**Virtual Hosting**: Technique of [hosting multiple domains or
websites] on the same server

**Web Proxy**: Sits between the client and server to [prevent IP
blocking and maintain anonymity]

### Web Server Security Issues

Attackers target software vulnerabilities and configuration errors to
compromise web servers.

Network and OS level attacks can be defended with [proper security
measures].

Web servers [highly vulnerable] to attacks because
accessible from anywhere via the Internet.

1. Security (IPS / IDS)

2. Network (Router / Switch)

3. Operating System (Windows / Linux / macOS)

4. Database (Oracle / MySQL / MS SQL)

5. **Web Server** (Apache / Microsoft IIS)

6. Trird-party Components (Open Source / Commercial)

7. Custom Web Applications (Business Logic Flaws)

### Impact of Web Server Attacks

- Compromise of [user accounts]

- Website [defacement] (повреждение)

- [Secondary attacks] from the website

- [Root access] to other applications or servers

- Data tampering (подделка) and [theft]

- [Reputational damage] of the company

### Why are Web Servers Compromised?

- [Improper] file and directory [permissions]

- Server installation with [default settings]

- Enabling of [unnecessary services]

- [Security conflicts] with business ease-of-use case

- [Lack of proper security policies], procedures, and
maintenance

- [Improper authentication] with external systems

- [Default accounts] having default passwords, or no
passwords

- [Misconfigurations] in web server, operating systems,
and networks

### Web Server Attacks

#### DNS Server Hijacking

Attacker compromises a DNS server and [changes the DNS
settings] to redirect requests to their own malicious
server.

#### DNS Amplification Attack

Attacker exploits of the [DNS recursive method] of DNS
redirection to perform DNS amplification attacks (атака с усилением).

Attacker uses compromised PCs with [spoofed IP addresses] to
amplify DDoS attacks on DNS server by exploiting the DNS recursive
method.

#### Directory Traversal Attacks

Attackers use [../] to access restricted (ограниченный)
[directories] outside the web server root, attempting to
find sensitive information through [trial and error].

#### Website Defacement

Attacker [alters a web page\'s visual appearance] by
inserting or substituting (заменяющий) provocative or offensive data,
exposing visitors to some [propaganda] until corrected.

#### Web Server Misconfiguration

Server misconfiguration is a [configuration weakness in web
infrastructure] that can be exploited to launch attacks,
such as directory traversal, server intrusion, and data theft.

Web Server Misconfiguration:

- Sample Configuration and Script Files

- Anonymous or Default Users/Passwords

- Verbose (Подробные) Debug/Error Messages

- Remote Administration Functions

- Unnecessary Services Enabled

- Misconfigured/ Default SSL Certificates

#### HTTP Response-Splitting Attack

[Add header response data into the input field] so that the
server splits the response into two responses.

Attacker can [control the first response to redirect the user to a
malicious website] while the browser discards the rest.

#### Web Cache Poisoning Attack

Attackers [swap cached content] for a random URL with
malware.

Victims [unknowingly use the poisoned content] instead of
true and secured content when requesting the URL through the cache.

An attacker forces a [web server\'s cache to flush]
(очистить) and sends a specially [crafted request].

#### SSH Brute Force Attack

SSH protocols create [encrypted connections] to transfer
unencrypted data. 

Attackers can brute force SSH login credentials to gain [unauthorized
access], [transmitting malware] via SSH tunnels
undetected.

#### Web Server Password Cracking

Attackers exploit weaknesses to hack [well-chosen
passwords].

Common passwords include \"password\", \"root\", and pet names.

Attacker mainly targets:

- SMTP servers

- Web shares

- SSH Tunnels

- Web form authentication cracking

- FTP servers

Attackers use [social engineering, phishing, spoofing] and
viruses to steal passwords.

Passwords can be cracked manually or with automated tools.

#### Server-Side Request Forgery (SSRF) Attack

Attackers exploit SSRF vulnerabilities to [send crafted
requests] to internal or back end servers, allowing them to
perform [port scanning], [network scanning], [IP
address discovery], and bypass authentication.

### Web Server Attack Tools

**Metasploit**: Platform that [exploits web servers] using
known vulnerabilities and weak passwords over various protocols.

Discuss Web Server Attack Countermeasures
-----------------------------------------

### Web Server Attack Countermeasures

- Apply [restricted ACLs] and block remote registry
access.

- Secure the [SAM] on stand-alone servers.

- [Configure security settings] and restrict access to the
metabase file using [NTFS permissions].

- Remove unnecessary [ISAPI filters].

- Remove [unnecessary file shares], including default
admin shares, and secure remaining shares with NTFS permissions.

- Relocate sites and directories to [non-system
partitions] (разделы) and use IIS permissions to [limit
access].

- Remove unused [IIS script mappings] to prevent
exploitation of ISAPI bugs.

### Web Server Security Tools

**Fortify WebInspect**: Automated dynamic testing that discovers
security vulnerabilities in running apps.

Web Application Attacks
=======================

Understand Web Application Architecture and Vulnerability Stack
---------------------------------------------------------------

### Introduction to Web Applications

**Web applications** provide an [interface between end users and web
servers] through a set of web pages.

While they enforce [security policies], they remain
vulnerable to attacks like SQL injection, cross-site scripting, and
session hijacking.

### How Web Applications Work

User -\> Login Form -\> Internet -\> Firewall -\> Web Server -\> Web
Application Server -\> DBMS (-\> Output) -\> OS System Calls -\>
Operating System

### Web Application Architecture

### Web Services

A **web service** is an internet-deployed app or software that uses
standard protocols like [SOAP], [UDDI], WSDL,
and [REST] for [inter-platform communication].

### Types of Web Services

**SOAP** web services: Uses [XML format] for data transfer
between provider & requestor

**RESTful** web services: Uses [constraints] using HTTP
concepts for improved performance

### Vulnerability Stack

1. Security (IPS / IDS)

2. Network (Router / Switch)

3. Operating System (Windows / Linux / macOS)

4. Database (Oracle / MySQL / MS SQL)

5. Web Server (Apache / Microsoft IIS)

6. Trird-party Components (Open Source / Commercial)

7. **Custom Web Applications (Business Logic Flaws)**

Discuss Web Application Threats and Attacks
-------------------------------------------

OWASP Top 10 Application Security Risks -- 2017:

### A1 - Injection Flaws

Injection flaws allow [untrusted data] to be executed as
[commands or queries], exploited by [constructing malicious
inputs], leading to data loss, corruption, or denial of
access.

- **SQL Injection**: Injecting malicious [SQL queries]
into user input forms

- **Command Injection**: Injecting [malicious code]
through a web app

- **LDAP Injection**: Injecting malicious [LDAP
statements]

#### Countermeasures

**SQL Injection Attacks:**

- Limit user input [length]

- Use custom [error messages]

- Monitor [DB traffic]

**Command Injection Flaws:**

- Perform [input validation]

- Escape [dangerous characters]

- Use [language-specific] libraries

**LDAP Injection Attacks:**

- Perform type, pattern, and [domain value validation] on
all input data

- Make the [LDAP filter] specific

- Validate and restrict the [amount of data returned] to
the user

### A2 - Broken Authentication

Attackers can [impersonate] users by exploiting
vulnerabilities in [authentication] or [session management
functions].

- **Session ID in URLs**: Attacker get session ID by [sniffing the
network traffic] or tricking, and reuse

- **Password Exploitation**: Attacker gain access to a [web app'a
password database], if password are not encrypted --
exploit it.

- **Timeout Exploitation**: Attacker can [exploit a user\'s
privileges] if they close a browser without logging out
and the app\'s timeouts are misconfigured

#### Countermeasures

- Use [SSL] for authenticated parts

- Store user identities and credentials in a [hashed form]

- Never submit session data as part of a [GET],
[POST]

### A3 - Sensitive Data Exposure

Sensitive data exposure occurs due to flaws like [insecure cryptographic
storage] or information [leakage] (утечка).

[Poor encryption code] can lead to [stolen or modified
sensitive data] like credit cards, SSNs, and credentials.

#### Countermeasures

- Not use [weak cryptographic algorithms]

- [Generate keys offline] and store securely

- Not easy to [decrypt]

### A4 - XML External Entity (XXE)

XML External Entity attack is a [server-side request
forgery] (подделка) (SSRF).

Occur when a misconfigured XML parser (анализатор) allows [applications
to parse XML input] from an unreliable source.

Attackers can redirect a victim\'s web app to an external entity through
[malicious XML input].

Allow [access to protected files and services].

#### Countermeasures

- [Avoid processing XML input] containing external entity
references using a weakly configured XML parser

- [XML unmarshaller] should be configured securely

- [Parse the document] with a securely configured parser

### A5 - Broken Access Control

Attacker identifies a flaw related to access control and [bypasses the
authentication].

They can [act as users or admins], creating, reading,
updating or deleting [every records].

#### Countermeasures

- Perform [access control checks] before redirecting

- Not use [insecure IDs]

- Session [timeout] mechanism

### A6 - Security Misconfiguration

**Unvalidated Inputs**: Web applications process client input [without
validation]

**Parameter/Form Tampering**: [Manipulating parameters]
exchanged between client and server to modify data.

**Improper Error Handling**: Gives [insight into source
code] such as logic flaws, and default accounts

**Insufficient Transport Layer Protection**: [Supports weak
algorithms] and uses expired or invalid certificates.

#### Countermeasures

- Configure [security mechanisms], disable unused services

- Set roles and permissions, [disable default accounts]

- Scan for [vulnerabilities], apply security patches

- Redirect non-SSL requests to [SSL page]

### A7 - Cross-Site Scripting (XSS) Attacks

Cross-site scripting (\'XSS\' or \'CSS\') attacks inject malicious
scripts into web pages, [exploiting vulnerabilities in dynamically
generated web pages].

Occurs when [unvalidated input data] is included in dynamic
content.

#### Countermeasures

- [Validate all parameters] against a specification

- Use [testing tools] during design to eliminate XSS holes

- Use a web application firewall to block the [execution of malicious
scripts]

- Convert [non-alphanumeric characters] to HTML entities
before displaying user input

### A8 - Insecure Deserialization

Attackers [inject malicious code into serialized data].

Insecure deserialization deserializes the malicious serialized content
[along with the injected malicious code].

#### Countermeasures

- Validate untrusted input to ensure [trusted classes
only]

- Deserialization of trusted data must cross a [trust
boundary]

- [Re-architect] applications 

### A9 - Using Components with Known Vulnerabilities

Web apps often [execute components with full privileges],
making flaws in components a serious risk.

Attackers scan and analyze components for vulnerabilities, exploiting
them on sites like [Exploit Database] and
[SecurityFocus].

#### Countermeasures

- Regularly [check versions]

- [Monitor] vulnerabilities

- Regularly apply [security patches]

### A10 - Insufficient Logging and Monitoring

Web apps log usage patterns, including [user and admin login
credentials].

Insufficient logging and monitoring means that a [malicious event is not
logged] or important information about the event is ignored.

Attackers often inject, delete or tamper with logs to [hide their
activities or identities].

#### Countermeasures

- Define [log monitoring] scope (масштаб) to include
critical areas

- Set a logging [baseline]

- Ensure user-contextual [logging for traceability]
(прослеживаемость)

### Web Application Attack Tools

**Burp Suite**: Supports web app testing from mapping to finding/fixing
security vulnerabilities.

**OWASP Zed Attack Proxy**: Security tool with automated scanners to
find vulnerabilities manually.

### Web Application Security Testing Tools

**N-Stalker Web App Security Scanner**: [Scans for web app
vulnerabilities].

SQL Injection Attacks
=====================

Discuss Types of SQL Injection Attacks
--------------------------------------

### What is SQL Injection?

Attack that exploits [un-sanitized input vulnerabilities] to
pass SQL commands through a web app for backend database execution.

Allow [unauthorized access] or direct information retrieval
(поиск).

### Why Bother about SQL Injection?

SQL injections can be used to implement the following types of attacks:

- Authentication Bypass

- Authorization Bypass

- Information Disclosure

- Compromised Data Integrity

- Compromised Availability of Data

- Remote Code Execution

### SQL Injection and Server-side Technologies

**Server-side Technology:**

- Server-side technologies like ASP.NET enable developers to create
dynamic, data-driven websites and web apps with ease.

**Explot:**

- Hackers can exploit ASP.NET and SQL using SQL injection attacks.

**Susceptible Databases:**

- All relational databases, SQL Server, Oracle, IBM DB2, and MySQL,
are vulnerable to SQL-injection attacks.

**Attack:**

- Target weakly coded [websites/app] that don\'t follow
[secure coding practices] in relational databases.

Types of SQL Injection:

### In-Band SQL Injection

Attackers use the [same communication channel] to perform
the attack and [retrieve] the results.

*Types of in-band SQL Injection*:

- **Error-based** **SQL Injection**: [Insert bad input] to
cause DB [results in an error].

*[[http://www.example.com/product.php]](http://www.example.com/product.php)?
id=10\|\|UTL\_INADDR.GET\_HOST\_NAME( (SELECT user FROM DUAL) )---*

- **System Stored Procedure**: Exploit [stored procedures]
to carry out (осуществлять) attacks.

- **Illegal/Logically Incorrect Query**: Send an [incorrect
query] to the database to generate an error message.

- **Union SQL Injection**: Add a malicious query using a UNION clause,
joining a [forged] (поддельный) query [to the original
query].

*SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT
creditCardNumber,1,1 FROM CreditCardTable*

- **Tautology**: Inject [always-true statements] to return
results after WHERE condition evaluation.

*SELECT \* FROM users WHERE name = '' OR '1'='1';*

- **End of Line Comment**: End of line comments [nullify
following] legitimate code.

*SELECT \* FROM user WHERE name = \'x\' AND userid IS NULL; \--\';*

- **In-line Comments**: [Combine multiple vulnerable
inputs] in a single query using inline comments.

*INSERT INTO Users (UserName, isAdmin, Password) VALUES('Attacker\', 1,
/\*', 0, '\*/'mypwd')*

- **Piggybacked Query**: Inject [additional malicious
query] into the original query.

*SELECT \* FROM EMP WHERE EMP.EID = 1001 AND EMP.ENAME = 'Bob'; DROP
TABLE DEPT;*

### Blind/Inferential SQL Injection

**No Error Message**: Used when [web application is
vulnerable], but results of the injection are [not visible
to the attacker]

**Generic Page**: Type of SQLi where error messages are hidden,
d[isplaying a generic page] instead

**Time- intensive**: [Time-intensive] attack recovers bits
by crafting [new statements].

An attacker can still steal data by asking a series of True and False
questions through SQL statements.

**WAITFOR DELAY**: Use \'waitfor delay\' command to check SQL execution
status; WAITFOR DELAY \'time\' waits for a specified time, while
**BENCHMARK()** runs a command multiple times.

- Examples:\
WAITFOR DELAY \'0:0:10\'---

- BENCHMARK(howmanytimes, do this)

**Boolean Exploitation**: Attackers use [true] and
[false] boolean statements in an HTTP request to infer
(сделать вывод) [success of injection].

Example:

- [[http://www.myshop.com/item.aspx?id=67]](http://www.myshop.com/item.aspx?id=67)

- An attacker may manipulate the above request to
http://www.myshop.com/item.aspx?id=67 and 1=2

**Heavy Query**: Use to perform time delay SQL injection attacks,
retrieving large amounts of data.

Example:

- SELECT \* FROM products WHERE id=1 AND 1 \< SELECT count(\*) FROM
all\_users A, all\_users B, all\_users C

### Out-of-Band SQL Injection

Requires [communication with the server] to exploit the
database\'s features

Attackers use [varied communication channels] to launch
attack

Use [DNS/HTTP requests] to retrieve data from the database
server

Attacker exploits [xp\_dirtree command] in Microsoft SQL
Server to send DNS requests to a controlled server.

### SQL Injection Tools

**sqlmap**: automatically detects and exploits SQL injection flaws and
takes over database servers

Discuss SQL Injection Attack Countermeasures
--------------------------------------------

### SQL Injection Attack Countermeasures

[Don\'t assume] size, type, or content received by your
application

Test input size and type, enforce [limits to prevent buffer
overruns]

Accept only [expected string values]

Reject entries with [binary data], [escape
sequences] and [comments]

[Never] build [Transact-SQL] statements [from
user input]; use stored procedures to validate user input

Implement [multiple layers of validation] and [never
concatenate] (соединять) unvalidated user input

### SQL Injection Detection Tools

**Damn Small SQLi Scanner (DSSS)**: SQL injection scanner that scans web
applications for vulnerabilities