Hacking Web Servers - Amazon Web Services



Hacking Web Servers and Web ApplicationsHacking Web ServersWeb server is a system used for storing, processing, and delivering websites. It is designed to host web applications, allowing clients to access those applications. It implements client-server model architecture, in which it has the server role, and the browser has the client role.It consists of:Document root is a folder which stores HTML files of a websiteServer root is a folder which stores configuration, log, and executable filesVirtual document tree is a type of storage located on a different disk and used when the original disk becomes fullVirtual hosting is hosting more than one domain on a single serverWeb Proxy is a server placed between the client and server, which means that all requests coming from the client go through the proxy to the server, instead of directly going to the serverOpen-source Web Server Architecture is an architecture that uses Linux, Apache, MySQL, and PHP as components.Internet Information Service or IIS refers to a web server application developed for Windows Server to host web applications.Web Server Threats and AttacksJust as with any computer system, web servers too can be compromised. Attackers use various techniques to launch attacks on target web servers and gain unauthorized access. Some of the attacks include:DoS/DDoS attacksDNS Server HijackingDNS amplification attacksDirectory traversal attacksMITM attacksPhishing attacksWebsite defacementWeb server misconfigurationHTTP response splitting attacksWeb cache poisoningSSH brute force attacksWeb server password cracking attacksWeb application attacksDoS/DDoS attacksDoS/DDoS attack is an attack in which the attacker sends a large number of requests to the target web server to prevent the server from functioning properly.DNS Server HijackingDNS server hijacking attack is an attack in which the attacker targets a DNS server and tempers with its mapping settings making it redirect clients to the attacker’s rogue server which serves the attacker’s malicious website.DNS amplification attacksDNS Amplification Attack is an attack in which the attacker uses the recursive DNS query to send a large number of requests with the target’s IP address to the DNS server prompting it to reply to the target’s IP address and in such a way overwhelms the target’s server.Directory traversal attacksDirectory traversal attack is an attack in which the attacker manipulates the target URL to gain access to restricted directories.MITM attacksMan-in-the-middle attack is an attack in which the attacker intercepts the traffic that is going from the client to the server and back. They do so by tricking the client into thinking that the attacker is a proxy. Once the client accepts the connection from the attacker, the entire communication between the client and the server goes through the attacker, allowing them to steal information.Phishing attacksPhishing attack is an attack in which the attacker emails the target with malicious links. Once the target clicks on the link, they are redirected to a malicious website which prompts them to provide sensitive information. The attacker then steals this information.Website defacementWebsite defacement attack is an attack in which the attacker makes changes to the target website’s content.Web server misconfigurationWeb server misconfiguration attack is an attack in which the attacker exploits the vulnerabilities in the server misconfiguration.HTTP response splitting attacksHTTP Response Splitting attack is an attack in which the attacker injects new lines into response headers, making the server split one response into two. The attacker is then able to control the first response coming from the server and redirect the client to a malicious website. Web cache poisoningWeb cache poisoning attack is an attack in which the attacker replaces cached content with malicious one.SSH brute force attacksSSH brute force attack is an attack in which the attacker acquires the SSH login credentials and create SSH tunnels between two hosts through which they can then transfer malicious content.Web server password cracking attacksWeb server password cracking attack is an attack in which the attacker cracks the target server passwords and uses them to perform new attacks.Web application attacksWeb application attack is an attack in which the attacker exploits vulnerabilities in the application code.Hacking MethodologyWeb Server Hacking Methodology provides attackers with steps to follow to execute a successful attack. These steps are:Gather information about the target web serverLearn about the server’s remote access capabilities, ports, and servicesMirror the target website to browse it offlineDiscover vulnerabilitiesPerform session hijacking and password cracking attacksDuring the information gathering step, the attacker might try to acquire the target’s robots.txt file, which contains the directories and files that are hidden from web crawlers. This file could provide the attacker with information such as passwords, emails, and hidden links.To perform the aforementioned steps and succeed in hacking, attackers use tools such as Metasploit and Wfetch.Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities.Wfetch is a tool that displays the request and response so that the communication can be easily understood. It can be used to create HTTP requests that test the performance of new Web sites or of Web sites that contain new elements, such as Active Server Pages (ASP) or wireless protocols.CountermeasuresIt is recommended that a web hosting network is comprised of three parts:InternetDMZInternal networkThe web server should be placed in DMZ so that it is isolated from both Internet and internal network. Each part should be protected by a firewall and have its own hub or switch. Another countermeasure is to ensure that the server is regularly updated, and that security patches and hotfixes are applied. Ports and protocols that are not being used should be blocked, as well as all unnecessary ICMP traffic. Default passwords and unused default accounts should be changed and disabled respectively. Logs should be monitored frequently to ensure that the server hasn’t been compromised. Changes in executable and regular files can be discovered by running Website Change Detection System script which periodically performs a hash comparison on files to determine if there were any modifications made to them and raise an alert.Hacking Web ApplicationsWeb applications are programs that allow users to interact with web servers. They are run on web browsers with the help of client- and server-side scripts.The web application architecture consists of:Client/presentation layerBusiness logic layerDatabase layerThe client/presentation layer consists of devices on which the application runs. Such devices include laptops, tablets, smartphones, etc.The business logic layer has two layers:Web-server logic layer consists of components that handle requests and responses, and the coding that reads and returns data to the browserBusiness logic layer contains the application dataThe database layer consists of a B2B layer and a database server in which the organization’s data is stored.Vulnerability stack is comprised of seven layers with each layer describing an element or service of a web application. This vulnerability stack is used to assess the vulnerabilities of the application by looking at its layers. Attacker also use the vulnerability stack to find vulnerabilities, exploit them, and launch attacks on the web application. Following are the layers of the vulnerability stack and the elements and services employed on them:LAYER 7Web applicationBusiness logic flaws and technical vulnerabilitiesLAYER 6Third party applicationsOpen source or commercialLAYER 5Web serverApache / IISLAYER 4Database MySql / OracleLAYER 3OSLinux / Windows / OS XLAYER 2Network Router / SwitchLAYER 1SecurityIPS / IDSEach of the layers represents an important part of a web application and contains sensitive data and information which, if compromised, could help an attacker cause great damage to the server and application.Web Application Threats and AttacksOWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. OWASP Top 10 project produces a document that describes top 10 application security threats. The latest document lists the following top 10 security threats3:InjectionBroken authenticationSensitive data exposureXML External EntityBroken Access ControlSecurity MisconfigurationCross-Site Scripting (XSS)Insecure DeserializationUsing components with known vulnerabilitiesInsufficient logging and monitoringInjectionInjection attack is an attack in which the attacker injects malicious data into commands and queries which are then executed in the application. This attack targets input fields or entry points of the application and allow attackers to extract sensitive information. Most commonly used injection attacks are:SQL Injection is an attack in which the attacker injects malicious SQL queries into the applicationCommand Injection is an attack in which the attacker injects malicious commands into the applicationLDAP Injection is an attack in which the attacker injects malicious LDAP statements into the applicationBroken authenticationBroken authentication refers to threats and vulnerabilities in authentication and session management. Attackers exploit these vulnerabilities to impersonate their targets. Some of the existing vulnerabilities include:Session IDs in URLsUnencrypted passwordsImproperly set timeoutsSensitive data exposureSensitive data exposure threats occur in applications that use weak encryption code for data encryption and storage. This vulnerability enables attackers to easily crack the encryption and steal the data.XML External EntityXML External Entity attack is an attack in which the attacker takes advantage of a poorly configured XML parser causing the application to parse XML input coming from an untrusted source.Broken Access ControlBroken access control refers to threats and vulnerabilities in access control. Attackers exploit these vulnerabilities to evade the authentication and gain admin privileges.Security MisconfigurationSecurity misconfiguration refers to vulnerabilities that exist in applications with a poorly configured application stack. Some of the problems that cause security misconfiguration vulnerabilities include:Unvalidated input fieldsForm and parameter manipulationPoor error handlingCross-Site Scripting (XSS)Cross-Site Scripting attack is an attack in which the attacker injects scripts into web pages which are executed on the target’s system. Insecure DeserializationInsecure deserialization refers to a vulnerability which attackers exploit by injecting malicious code into serialized data which is then sent to the target. Because of the insecure deserialization vulnerability, the malicious serialized data is deserialized without the malicious code being detected, which allows the attacker to gain unauthorized access to the system.Using components with known vulnerabilitiesUsing components with known vulnerabilities allows attackers to exploit them and execute attacks.Insufficient logging and monitoringInsufficient logging and monitoring occur when the application fails to log malicious events and activities. This causes difficulties in detecting attacks on the system.Hacking MethodologyWeb Application Hacking Methodology provides attackers with steps to follow to execute a successful attack. These steps are:Web infrastructure footprintingWeb server attackWeb application analysisClient-side controls evasionAuthentication attacksAuthorization attacksAccess control attacksSession management attacksInjection attacksApplication logic vulnerability exploitationDatabase connection attacksWeb services attacksWeb infrastructure footprintingFootprinting web infrastructure helps attacker gather information about the target web infrastructure and identify vulnerabilities that can be exploited. In this process, the attacker performs:Server discovery to learn about the servers that host the applicationService discovery to determine which service can be attackedServer identification to learn information about the server such as version and makeHidden content discovery to discover hidden contents Web server attackThe information gathered in the footprinting step allows hackers to analyze it, find vulnerabilities to exploit, and use various techniques to launch attacks on the server.Web application analysisAttackers analyze target web application to identify its vulnerabilities and exploit them. To hack the application, attackers need to:Identify entry points for user inputIdentify server-side technologies used for generating dynamic web pagesIdentify server-side functionality Identify attack areas and associated vulnerabilitiesClient-side controls evasionAttackers attempt to bypass client-side control of user inputs and interaction. To bypass the client-side controls, attackers attempt to:Attack hidden form fieldsAttack browser extensionsReview the source codeAuthentication attacksAttackers attempt to exploit vulnerabilities that exist in the authentication mechanisms. By exploiting such vulnerabilities, attackers are able to perform:Username enumerationPassword attacksSession attacksCookie exploitationAuthorization attacksAuthorization attack is an attack in which the attacker accesses the application through a legitimate account that has limited privileges and then uses that account to escalate the privileges. To perform an authorization attack, the attacker uses the following sources:URIParameter tamperingPOST dataHTTP headersCookiesHidden tagsAccess control attacksAttackers analyze the target website in an attempt to learn the details about the implemented access control. During this process, attackers try to learn about who has access to which sets of data, who has which access level, and how to escalate privileges.Session management attacksAttackers exploit vulnerabilities in authentication and session management to impersonate their targets. The process of generating a valid session token consists of two steps:Session token predictionSession token tamperingWith a valid token, attackers are able to perform attacks such as MITM, session hijacking, and session replay.Injection attacksAttackers take advantage of unvalidated form inputs to inject malicious queries and commands.Application logic vulnerability exploitationPoor coding skills can make the application vulnerable due to its logic flaws. If the attacker succeeds in identifying such flaws, then they are able to exploit them and launch an attack.Database connection attacksAttackers execute attacks on database connection to gain control over the database and thus gain access to sensitive information.Web services attacksAttackers target web services integrated in the web application to find and exploit the application’s business logic vulnerabilities. They then use various techniques to execute an attack on the application.Denial of ServiceDenial of Service or DoS attack is an attack in which the attacker overloads the target system with fake requests or traffic resulting in the server being unable to function properly. The objective of a DoS attack is to render the target system useless and prevent users from accessing its resources. Generally, attackers launch DoS attacks to affect the target’s network bandwidth or connectivity. Attacks on the network bandwidth result in the network being overloaded with traffic and not being able to provide the users with the resources they request. Attacks on the connectivity result in the computer being overloaded with incoming connection requests and not being able to process connection requests coming from legitimate users.Distributed Denial of Service or DDoS attack is an attack in which the attacker uses botnets to perform a DoS attack. The objective is to first compromise as many systems as possible and then use those systems to launch a DoS attack on their target.Attack VectorsAttack vectors of a DoS/DDoS attack are categorized as follows:Volumetric attacksProtocol attacksApplication layer attacksVolumetric AttacksVolumetric attack is an attack in which the attacker attempts to use up the target network or service’s bandwidth, which results in the users being deprived of the said resources. Volumetric attacks can be flood attacks or amplification attacks. Flood attacks use zombies to send high volume traffic to the target system, thus overloading the bandwidth. Amplification attacks use zombies to send magnified traffic to the target system, thus consuming its bandwidth.Techniques used in this attack include:UDP flood attackICMP flood attackPing of death attackMalformed IP packet flood attackSpoofed IP packet flood attackProtocol AttacksProtocol attack is an attack in which the attacker attempts to consume the resources of a particular target device. This attack targets connection state tables and overloads them in such a way that new connections cannot be made.Techniques used in this attack include:SYN flood attackACK flood attackTCP connection flood attackTCP state exhaustion flood attackFragmentation attackRST attackApplication Layer AttacksApplication layer attack is an attack in which the attacker targets the vulnerabilities in the application and attempts to exhaust the application resources with a huge number of open connections so that new connection cannot be made.Techniques used in this attack include:HTTP flood attackSlowloris attackAttack techniquesUDP Flood AttackUDP flood attack is an attack in which the attacker floods random ports of the target server with a huge number of spoofed UDP packets causing the server to continuously check for applications on the ports. Being unable to find any application associated with the packet, the system responds with an ICMP Destination Unreachable packet. With so many spoofed packets received and answered, the system eventually becomes unable to respond to legitimate applications.ICMP Flood AttackICMP flood attack is an attack in which the attacker floods the target system with a huge number of ICMP ECHO request packets. Replying to each received request causes the system to become overloaded and unable to respond to valid requests.Ping of Death AttackPing of Death attack is an attack in which the attacker uses ping command to send irregular or big size packets to the target system causing it to crash.Smurf AttackSmurf attack is an attack in which the attacker sends a huge number of ICMP ECHO request packets with the target’s IP address as the source address to an IP broadcast network. Hosts that exist on the broadcast network respond to the received requests and their responses are sent to the target system. With so many replies received, the system eventually becomes overloaded and crashes.SYN Flood AttackSYN flood attack is an attack in which the attacker takes advantage of the flaw that exists in the TCP three-way handshake. In this attack, the attacker sends a huge number of SYN requests with fake source IPs. The target responds with a SYN ACK packet and waits for the sender to send back an ACK packet. However, because the source IP is fake, the target never receives the expected ACK packet, leaving the connection to remain incomplete. With so many incomplete connections, the system eventually becomes unable to respond to legitimate requests.Fragmentation AttackFragmentation attack is an attack in which the attacker sends a huge number of TCP or UDP fragmented packets with a small packet rate to the system in such a way that the system is forced to exhaust its resources while reassembling the packets, thus causing it to crash.HTTP Flood AttackHTTP GET attack is an attack in which the attacker uses up the target server’s resources by sending requests with time delayed HTTP headers and making the server hold onto the connection and wait for the full request, which it never receives. This causes the server to be unavailable to legitimate users.HTTP POST attack is an attack in which the attacker uses up the target server’s resources by sending requests with incomplete bodies, making the server wait for the remainder of the body message, which it never receives. This causes the server to be unavailable to legitimate users.Slowloris AttackSlowloris is an attack tool used by attackers to take down web infrastructures. In this attack, the attacker sends a huge number of incomplete HTTP requests to the target server. The server receives the requests, opens a connection for each received request, and waits for the received requests to complete. Since the requests never complete and with so many open connections, the server eventually becomes unable to receive new connections.Multi-Vector AttackMulti-vector attack is an attack in which the attacker combines volumetric, protocol, and application layer attacks into one and launches it on the target server. Attacks can be launched sequentially or in parallel.Peer-to-Peer AttackPeer-to-peer attack is an attack in which the attacker takes advantage of bugs that exist in a peer-to-peer server and instructs its clients to disconnect from the peer-to-peer server and connect to the target. With a great number of peer-to-peer server clients, the target is overloaded.Permanent DoS AttackPermanent DoS attack is an attack in which the attacker targets and causes damage to the target’s hardware by sending updates corrupted with malfunctioning firmware to the device. Once the malicious update is installed in the device, the attacker gains access to the system.Distributed Reflection DoS AttackDistributed reflection DoS attack is an attack in which the attacker uses two sets of machines to carry out an attack. One set consists of zombies called intermediary machines, and the other set consists of uncompromised machines called secondary machines. The attacker instructs the intermediary machines to send a number of packets to secondary machines. The packets sent contain the target’s IP address as the source address. Once the secondary machines receive the requests, they respond and try to connect to the target. With a huge number of secondary machines sending so many requests repeatedly (because they are being discarded by the target), the target eventually becomes overwhelmed and unable to function properly.Session HijackingSession hijacking is an attack in which the attacker targets a session between two machines in order to gain access to the target machine. In this attack, the attacker exploits the vulnerabilities that exist in the mechanisms that generate session tokens. By guessing or stealing a valid session token, attackers are able to communicate with the server.The process of session hijacking consists of several steps:Sniffing the network and coming in between the target and serverMonitoring the connection between the target and server and predicting sequence numbersBreaking the connection between the target and serverTaking over the sessionLaunching injection attacks on the serverSession hijacking can be:Passive session hijackingActive session hijackingPassive session hijacking refers to observing the traffic on the network and not interfering with the communication. In this type of session hijacking, attackers use sniffers to sniff out credentials which they can later use for accessing the target accounts.Active session hijacking refers to the attacker interfering with the session and becoming a participant in the communication with the target server.When talking about the OSI model, session hijacking is categorized into:Application level session hijackingNetwork level session hijackingSession Hijacking on Application LayerApplication level session hijacking is an attack in which the attacker targets a legitimate session and attempts to either predict or steal the session ID and thus gain access to the server. Techniques used in this type of attack include:Stealing session IDGuessing session IDBrute forcing session IDApplication level session hijacking attacksSession SniffingSession sniffing attack is an attack in which the attacker uses sniffers to capture packets and then analyzes them to determine the session token. Once the attacker acquires the session token, they are able to gain access to the server.Session Token PredictionSession token prediction attack is an attack in which the attacker collects a large number of valid session IDs and analyzes their structure to predict the session ID.Man-in-the-Middle AttackMan-in-the-Middle attack is an attack in which the attacker gains access to the communication channel between two machines. In this attack, the attacker splits the connection into two parts and is able to manipulate the communication between the machines.Man-in-the-Browser AttackMan-in-the-Browser attack is an attack in which the attacker uses a trojan to infect the target’s browser. The attacker is then able to intercept and manipulate the communication between the browser and the destination server. Attackers use MITB to target financial transactions.XSS AttackCross-Site Scripting or XSS attack is an attack in which the attacker injects scripts into web pages which are executed on the target’s system. Attackers use this attack to obtain the target’s session ID.CSRF AttackCross-site Request Forgery or CSRF attack is an attack in which the attacker targets authenticated sessions and tricks the target into submitting a malicious form created by the attacker to the target’s server. Because the connection between the target and the server is authenticated, the server accepts the data from the submitted form.Session Replay AttackSession replay attack is an attack in which the attacker eavesdrops on the conversation between the target server and the user, waiting to capture the authentication token from the user. Once the user sends the authentication token, the attacker captures it and replays the request to the server, thus gaining access.Session Fixation AttackSession fixation attack is an attack in which the attacker establishes a session with a server and trick the target into authenticating themselves using the session ID of the attacker’s session. Then, the attacker can use that same session ID to access the target account.CRIME AttackCRIME attack is an attack in which the attacker exploits the compression vulnerabilities that exist in HTTPS and SPDY protocols. In this attack, the attacker decrypts the target’s session cookies and hijacks the session.Session Hijacking on Network LayerNetwork level session hijacking is an attack in which the attacker intercepts the packets transmitted between the client and the work layer session hijacking attacksTCP/IP HijackingTCP/IP hijacking is an attack in which the attacker uses spoofed packets to hijacks the target connection and then redirects the traffic to their computer. When this happens, the server continues the communication with the attacker, believing them to be a valid client.IP Address Spoofing Using Source RoutingSource routing attack is an attack in which the attacker hijacks a TCP session, creates forged packets, injects the packets into the session, and specifies the route which the packets will take from the source to the destination server. The source IP address belongs to the trusted client, thus ensuring that the server accepts the attacker’s packets. RST HijackingRST hijacking is an attack in which the attacker terminates the connection between the target and the server. The attacker sends an RST packet to the target with the server’s IP address as the source. If the hacker manages to predict the ACK number in the sent packet, the connection will be reset.Blind HijackingBlind hijacking is an attack in which the attacker hijacks a TCP session and performs malicious data injection into the session but is unable to see the response.UDP HijackingUDP hijacking is an attack in which the attacker hijacks a UDP session, creates and sends a forged reply to the client making it look like it came from the server. This prevents the client to proceed its communication with the work Level MITM AttackNetwork level MITM attack allows the attacker to change the client’s default gateway and reroute the sent packets so that they go through the attacker. The routing is accomplished in two ways:Using forged ICMP packets to send error messages and trick the client and the server into using the attacker’s routeUsing ARP spoofing to reroute the traffic through the attackerSQL InjectionSQL Injection is an attack in which the attacker injects malicious SQL queries into the application. In this attack, the attacker targets vulnerable applications and attempts to either gain unauthorized access or retrieve data stored in the database.Attackers use SQL injection to:Log onto the system without providing valid credentialsRetrieve sensitive information stored in the databaseModify the information stored in the databaseDelete the information stored in the databaseSQL Injection TypesSQL injection has three types:In-Band SQL InjectionBlind/Inferential SQL InjectionOut-of-Band SQL InjectionIn-Band SQL InjectionIn-band SQL injection is an injection attack in which the attacker uses one channel to inject malicious queries and retrieve results. Types of in-band SQL injection are:Error-based SQL injection is an injection attack in which the attacker deliberately causes the database to throw errors and in such a way identifies the vulnerabilitiesSystem stored procedure is an injection attack in which the attacker injects malicious queries into stored procedures.UNION SQL injection is an injection attack in which the attacker uses the UNION operator to inject a malicious queryTautology is an injection attack in which the attacker manipulates the WHERE operator in the query to always have a true valueComment SQL injection is an injection attack in which the attacker injects comments into the query to evade certain parts of the original query Piggyback query is an injection attack in which the attacker appends their malicious query to the end of the original one.Blind/Inferential SQL InjectionBlind SQL injection is an injection attack in which the attacker is unable to see the results of the injected queries, so they form queries to return true or false and based on that determine whether the application is vulnerable to SQL injection. They then proceed with injecting true/false queries to extract the information stored in the database. Types of blind SQL injection are:Time-based SQL injection is an injection attack in which the attacker uses time delay to evaluate the result of the malicious queryHeavy query is an injection attack in which the attacker is unable to use time-based injection, so they turn to injecting queries that return a large amount of data from the databaseOut-of-Band SQL InjectionOut-of-band SQL injection is an injection attack in which the attacker uses more channels to inject malicious queries and retrieve results. SQL Injection MethodologySQL Injection Methodology defines steps to be followed for a successful injection attack. These steps are:Gathering informationPerforming SQL injection attackPerforming advanced SQL injectionStep 1: Information GatheringInformation gathering refers to the attacker collecting information about the target application and database including its structure, name, version, type, etc. The objective here is to identify vulnerabilities for SQL injection.During the information gathering process, the attacker tries to identify entry points in the application such as unvalidated input fields to which the attacker can inject malicious data. Once they identify vulnerable input fields, the attacker attempts to inject queries that return error messages, which can be a useful source of information about the database type and version.Step 2: SQL InjectionUpon the completion of information gathering and vulnerability detection, the attacker proceeds with the execution of different SQL injection attacks to extract information from the database including the database name, column names, and records. The attacker may also attempt to insert or update certain information in the database. This allows him to insert a new user and password or modify the password of an existing user and in that way gain access to the system. Step 3: Advanced SQL InjectionThe attacker uses advanced SQL injection attacks to compromise the target network and OS. the attacker can interact with the OS in two ways:Reading/writing system files from the diskExecuting commands using a remote shellMySQL allows reading and writing into files through the database by using functions LOAD_FILE() and OUTFILE(). This allows the attacker to read important files and store query results to a text file and then retrieve it.The attacker is also able to create server backdoors using SQL injection by executing commands through functions that are able to call OS functions at runtime. Another way of creating a backdoor is to use database triggers which, when executed, create the backdoor. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download