Basic Web Hacking & Tools

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

83 εμφανίσεις

csci5931 Web Security

1

Basic Web Hacking & Tools

(MSS book)

csci5931 Web Security

2

Topics

A.
Ch. 4, 15 (Netcat, Achilles, HTTP, HTTPS)

B.
Ch. 5 (URLs, HTML Forms)

C.
Ch. 6 (Web Application Components)


csci5931 Web Security

3

Network Utility Programs


Netcat

http://www.atstake.com/research/tools/network_u
tilities/



Cryptcat

http://sourceforge.net/projects/cryptcat/



csci5931 Web Security

4

Network Utility Programs


Example Use of Netcat


To get a web page:

nc sce.uhcl.edu 80

GET / HTTP/1.0

HTTP/1.1 200 OK

Server: Microsoft
-
IIS/5.0

Date: Wed, 26 Feb 2003 15:08:22 GMT

Connection: Keep
-
Alive

Content
-
Length: 10166

Content
-
Type: text/html

Set
-
Cookie: ASPSESSIONIDSASQDDAR=MECEBLAAEIKECJGFFELEBJMA; path=/

Cache
-
control: private


<html>

<head>

<title>SCE Home Page</title> …

csci5931 Web Security

5

Network Utility Programs


Example Use of Netcat


To get the meta information of a web page:

nc sce.uhcl.edu 80

HEAD / HTTP/1.0


HTTP/1.1 200 OK

Server: Microsoft
-
IIS/5.0

Date: Wed, 26 Feb 2003 15:11:33 GMT

Connection: Keep
-
Alive

Content
-
Length: 10166

Content
-
Type: text/html

Set
-
Cookie:
ASPSESSIONIDSASQDDAR=PECEBLAAKMPGGDIHEGJOAJ
LJ; path=/

Cache
-
control: private

csci5931 Web Security

6

Network Utility Programs


Other Uses of Netcat


Have Netcat listen at a particular port:

(AT the listening side) nc
-
L
-
p 53
-
e cmd.exe

(At the remote side) nc

v hostAddress 53



Allows the administrator to see if a port is available,
for example, through a firewall.

csci5931 Web Security

7

Achilles


Acts like a web proxy


Allows a person to intercept and modify
information sent from a web server to a
web browser


Download:
achilles
-
0
-
27.zip


Proxy configuration on the browser

csci5931 Web Security

8

Achilles

csci5931 Web Security

9

HTTP & History of the WWW


[HTTP 1991]


The Original HTTP as defined in 1991



[HTTP 1992]


Basic HTTP as defined in 1992


[HTTP 1996]


RFC1945
: Hypertext Transfer Protocol
--

HTTP/1.0.

Informational.


[HTTP 1999]
RFC2616
: Hypertext Transfer Protocol
--

HTTP/1.1.



[irt.org 1998]
WWW


How It All Began
.


[isoc.org 2000] The Internet Society.


A Brief History
of the Internet
.


August 4, 2000.

csci5931 Web Security

10

HTTP


An application
-
level protocol


Lightness and speed necessary for distributed,
collaborative, hypermedia information systems


A stateless protocol


can be used for many tasks, such as name
servers and distributed object management
systems, through extension of its
request

methods


Its data typing feature allows systems to be built
independently of the data being transferred.

csci5931 Web Security

11

HTTP


Its data typing feature allows systems to be built
independently of the data being transferred.


The
Content
-
Type

entity
-
header field indicates the media
type of the Entity
-
Body sent to the recipient or, in the
case of the HEAD method, the media type that would
have been sent had the request been a GET.

Content
-
Type = "Content
-
Type" ":" media
-
type

Media types are defined in Section 3.6 of RFC1945.

An example of the field is Content
-
Type:
text/html

csci5931 Web Security

12

HTTP
Request

Methods


GET

Retrieves the information requested from the file system.


HEAD

Almost identical to the GET method, but only return the
meta
-
information.


POST

Requests that the server accept the enclosed information
and act on it.

Commonly used when server
-
side scripting is involved.



More request methods in HTTP/
1.1
: Table 4
-
4
(pp.126
-
127)

csci5931 Web Security

13

HTTP
Response


Response code

See Table 4
-
2 (p.122)


Header fields

Additional information about the response

Table 4
-
3 (p.124), 4
-
5 (p.128)


Data

The body of the response

csci5931 Web Security

14

HTTP Security


HTTP provides a simple
challenge
-
response authentication

mechanism which may be used by a server to challenge a client
request and by a client to provide authentication information.



The HTTP protocol does not restrict applications to this simple
challenge
-
response mechanism for access authentication. Additional
mechanisms may be used, such as encryption at the transport level
or via message encapsulation, and with additional header fields
specifying authentication information. However, these additional
mechanisms are not defined by this specification.

csci5931 Web Security

15

HTTP Security


The
"basic" authentication scheme

is based on the model that the
user agent must authenticate itself with a user
-
ID and a password for
each realm.


The server will authorize the request only if it can validate the user
-
ID and password for the protection space of the Request
-
URI. There
are no optional authentication parameters.


The "basic" authentication scheme is not a secure method of user
authentication, nor does it prevent the Entity
-
Body from being
transmitted in clear text across the physical network used as the
carrier.

csci5931 Web Security

16

HTTP Security Considerations


The GET and HEAD methods should never have the
significance of taking an action other than retrieval.


These methods should be considered “safe”. True?


It is not possible to ensure that the server does not
generate side
-
effects as a result of performing a GET
request.

csci5931 Web Security

17

HTTP Security Considerations


Abuse of Server Log Information:


A server is in the position to save personal data about
a user's requests which may identify their reading
patterns or subjects of interest. This information is
clearly confidential in nature and its handling may be
constrained by law in certain countries.

csci5931 Web Security

18

HTTP Security Considerations


Transfer of Sensitive Information:

HTTP cannot regulate the content of the data that is transferred, nor is
there any a priori method of determining the sensitivity of any
particular piece of information within the context of any given
request.

Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against
software that is known to contain security holes. Implementors
should make the Server header field a configurable option.

csci5931 Web Security

19

HTTP Security Considerations


Attacks Based On File and Path Names:

Implementations of HTTP origin servers should be careful to restrict
the documents returned by HTTP requests to be only those that
were intended by the server administrators.

For example, Unix, Microsoft Windows, and other operating systems
use ".." to indicate a directory level above the current one.

Files intended for reference only internally to the server (such as
access control files, configuration files, and script code) must be
protected from inappropriate retrieval.

csci5931 Web Security

20

HTTPS


HTTP over SSL

SSL encrypts traffic between two hosts, significantly
reducing the ability of an attacker to access sensitive
traffic and record information such as passwords.

But, SSL does not truly provide security, if the SSL
certificate is exposed. Tools such as
ssldump

can be
used to decrypt SSL traffic.

A network packet analyzer:
Snort
(Assignment #2?)
(
http://www.snort.org/dl/binaries/1.8.7/
)

csci5931 Web Security

21

Ch 6: Web Application Components


Fig. 6
-
1: A typical Web application
(p.166)


Fig. 6
-
2: Interfacing Web application servers with
front
-
end web servers
(p.170)

A.
The native application processing environment (e.g., ASP
on MS IIS)

B.
Web server APIs and plug
-
ins (e.g., MS ISAPI
extensions, Netscape NSAPI modules, …)

csci5931 Web Security

22

Ch 6: Web Application Components

C.
URL Mapping and internal proxying


The application server listens on a TCP port other than
the one used by the web server. The web server is
configured to map specific URLs onto the application
server.

C.
Proxying with back
-
end application server (e.g., Fig. 6
-
4,
p.174)

csci5931 Web Security

23

Next


Midterm


Ch. 7: HTML source sifting,
wget
, Teleport Pro


Ch 8: Site Linkage Analysis


Core JAVA Security Model (GS: 7)


Team Presentations