Attacking the Application Server

makeshiftklipInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 4 χρόνια και 8 μήνες)

104 εμφανίσεις

The Web Application Hacker’s
Handbook, 2ed.: Chapter 18

By Heath Carroll

Vulnerable Server Configurations

Vulnerable Server Software

Web Application Firewalls

Examples and Questions


Web applications are layered upon frameworks that provide
much of their functionality

These layers may be vulnerable and may allow a hacker to
compromise the entire web app.

Two major categories of vulnerabilities are of concern to us:

Server configuration weaknesses

Application server software exploits

Several major opportunities for attack:

Default Credentials

Default Content

Directory Listings

WebDAV Methods

Application Server as a Proxy

Misconfigured Virtual Hosting

Securing Web Server Software

Servers and other interfaces may have default
credentials still in place.

Concept Example 1:


: devices have default
admin level


with user account
and password

(exploited with

worm in 2009)



give you up…

Servers and other interfaces may have default credentials still
in place (cont’d).

Concept Example 2:

Ever forgotten your wireless password?

If you ever log in to an unsecured Wi
Fi router, try going to in your browser. When prompted for a username and

password look up the device defaults and you might be able to

filter every other user but yourself (or something more malicious)

Examples applicable to App server interfaces:

Websites which list many common default credentials:


The default software vender settings may also leave useful
system functions unsecured:

Debug and test functions (

Sample scripts useable by admins (Jetty Dump Servlet)

Erroneously unprotected functionality (common examples exploit the
ability to upload Web
, which can later be triggered to provide
a backdoor)

Man pages

Hacker Tools:




Why would directory listings help an attacker:

The obvious reason: Useful scripts and stuff that shouldn’t even be in the
file tree may be there. (i.e. logs, backup files, etc.)

Less obvious: The web app may not enforce proper access controls over its
file system, relying instead on obfuscation to protect sensitive data and
files. Just knowing their URLs would allow an attacker access to them.

based Distributed Authoring and Versioning

HTTP methods (like GET and POST) that extend the standard HTTP
protocol methods.

More widely used as “the cloud” expands


HTTP OPTIONS method can commonly be used to find the other methods
which may be immediately available (with sufficient privileges)


If an app server is configured as a forward proxy (or can be
configured as one by an attacker) some functionality opens up:

Effectively “spoof” the attackers IP address when attacking other systems
on the Internet

Connect to other hosts on the server’s network that are normally firewalled
away from the attacker

Connect to other services on the server itself to exploit trust and
authentication relationships elsewhere (uses the loopback interface)

Server administrators may forget to secure the default host (the
machine itself) on a
ost server

The virtual hosts are secured, but the default host is not.

Security features bypassed when accessing the default host.

All these problems! So how do we secure them?

Change default credentials and remove default accounts

Block access to everything not required for the server to function (firewall
ports and interfaces)

Remove default and extra content. Use

Check all directories for listings, supply index.html for each

Disable all HTTP and

methods not required

Make sure not configured as proxy server. If required, harden all
connects using ACLs at the network layer

Ensure default host enforces the same security policy as virtual ones. Use

Developers tend to rely on the built in security features of the
software they use to build their web apps.

Common exploitable areas include:

Application Framework Flaws

Memory Management Vulnerabilities

Encoding and Canonicalization

Finding Web Server Software

ASP.NET is a very well developed framework for the building of
robust web apps. Up until 2 years ago there was a CBC
cryptographic algorithm vulnerability.

second most used web app server language, first most used framework
for developing in it

Comparable to
C and Cocoa Touch framework

Comparison of Web App Frameworks

Yes, buffer overflows occur in server
side services, too.

Especially in newer technologies

Remember Chapter 3? It still applies.

Especially if different components/layers handle encoding schemes in
different ways.

Especially if further decoding is performed at each step.

Each layer should perform the same decoding steps.

Most prevalent weakness that can be exploited is path

ay allow arbitrary file access outside of the web root

Use the Internet:


Test on a locally installed version

Make sure any steps you perform do not violate the contract
with your vendor

Go with a well renowned product


Harden your server by disabling any unnecessary functionality,
port, and user accounts. Apply common sense

Keep an eye on the horizon for the latest vulnerabilities to the
services you use.


and Full Disclosure

Use Defense
Depth (layered security)

Test your system

Not as useful as you’d think

Under what circumstances does a web server display a
directory listing?

What are WebDAV methods used for, and why might they be

How can you exploit a web server that is configured to act as a
web proxy?

What is the Oracle PL/SQL Exclusion List, and how can it be

If a web server allows access to its functionality over both HTTP
and HTTPS, are there any advantages to using one protocol
over the other when you are probing for vulnerabilities?

A web server will display a directory listing if you request a URL for a
directory and:

the web server cannot find a default document such as index.html;

directory listings are enabled;

you have the required permissions to access the directory.

WebDAV methods allow web
based authoring of web content.

These methods may be dangerous if they are not subjected to strict access control.
Further, because of the complex functionality involved, they have historically been a
source of vulnerabilities within web servers

for example, as an attack vector for
exploiting operating system vulnerabilities via the IIS server.

If the proxy allows connection back out to the Internet, you could use it to
attack third party web applications on the Internet, with your requests
appearing to originate from the misconfigured web server.

Even if requests to the Internet are blocked, you may be able to leverage the proxy to
access web servers within the organization that are not directly accessible, or to reach
other web
based services on the server itself.

The PL/SQL Exclusion List is a pattern
matching blacklist designed to
prevent the PL/SQL gateway from being used to access certain powerful
database packages.

Various bypasses have been discovered to the PL/SQL Exclusion List filter. These
essentially arise because the filter employs very simple expressions, while the
end database follows much more complex rules to interpret the significance
of the input. Numerous ways have been discovered of crafting input that does not
match the blacklist patterns but nevertheless succeeds in executing the powerful
packages within the database.

It is possible that using HTTPS for communication may conceal your attacks
from some network
layer intrusion detection systems. Using HTTP, however,
will typically enable your automated attacks to execute much faster. The
application may contain different content or behave differently when
accessed via the different protocols, so in general you should be prepared
to test using both.

Web Applications are only as secure as their weakest layer

The web server supporting a Web App is a viable target for

Default configuration and content exploits, unintentionally open
functionality, and flaws in the frameworks used can all lead to viable

Automated tools are very useful when attacking a server (for
offensive or defensive purposes).