Web Site Vulnerabilities
A web site is especially
vulnerable because it is almost completely exposed to the user. If you use an
application program, you do not usually get to view the program's code. With a
web site, the attacker can download the site's code for offline study over
time. With a program, you have little ability to control in what order you
access parts of the program, but a web attacker gets to control in what order
pages are accessed, perhaps even accessing page 5 without first having run
pages 1 through 4. The attacker can also choose what data to supply and can run
experiments with different data values to see how the site will react. In
short, the attacker has some advantages that can be challenging to control.
The list of web site vulnerabilities is too
long to explore completely here. Hoglund and McGraw [HOG04],
Andrews and Whitaker [AND06], and Howard et al. [HOW05]
offer excellent analyses of how to find and
fix flaws in web software. Be sure to review the code development issues in Chapter 3, because many
code techniques there (such as buffer overflows and insufficient parameter
checking) are applicable here.
Web Site Defacement
One of the most widely known
attacks is the web site defacement attack. Because of the large number of sites
that have been defaced and the visibility of the result, the attacks are often
reported in the popular press.
A defacement is common not
only because of its visibility but also because of the ease with which one can
be done. Web sites are designed so that their code is downloaded, enabling an
attacker to obtain the full hypertext document and all programs directed to the
client in the loading process. An attacker can even view programmers' comments
left in as they built or maintained the code. The download process essentially
gives the attacker the blueprints to the web site.
The ease and appeal of a
defacement are enhanced by the seeming plethora of vulnerabilities that web
sites offer an attacker. For example, between December 1999 and June 2001 (the
first 18 months after its release), Microsoft provided 17 security patches for
its web server software, Internet Information Server (IIS) version 4.0. And
version 4.0 was an upgrade for three previous versions, so theoretically
Microsoft had a great deal of time earlier to work out its security flaws.
Buffer Overflows
Buffer overflow is alive and
well on web pages, too. It works exactly the same as described in Chapter 3: The attacker simply feeds a program
far more data than it expects to receive. A buffer size is exceeded, and the
excess data spill over into adjoining code and data locations.
Perhaps the best-known web
server buffer overflow is the file name problem known as iishack. This attack
is so well known that is has been written into a procedure (see http://www.technotronic.com). To execute the
procedure, an attacker supplies as parameters the site to be attacked and the
URL of a program the attacker wants that server to execute.
Other web servers are
vulnerable to extremely long parameter fields, such as passwords of length
10,000 or a long URL padded with space or null characters.
Dot-Dot-Slash
Web server code should always
run in a constrained environment. Ideally, the web server should never have
editors, xterm and Telnet programs, or even most system utilities loaded. By
constraining the environment in this way, even if an attacker escapes from the
web server application, no other executable programs will help the attacker use
the web server's computer and operating system to extend the attack. The code
and data for web applications can be transferred manually to a web server or
pushed as a raw image.
But many web applications
programmers are naïve. They expect to need to edit a web application in place,
so they install editors and system utilities on the server to give them a
complete environment in which to program.
A second, less desirable,
condition for preventing an attack is to create a fence confining the web
server application. With such a fence, the server application cannot escape
from its area and access other potentially dangerous system areas (such as
editors and utilities). The server begins in a particular directory subtree,
and everything the server needs is in that same subtree.
Enter the dot-dot. In both
Unix and Windows, '..' is the directory indicator for "predecessor."
And '../..' is the grandparent of the current location. So someone who can
enter file names can travel back up the directory tree one .. at a time.
Cerberus Information Security analysts found just that vulnerability in the
webhits.dll extension for the Microsoft Index Server. For example, passing the
following URL causes the server to return the requested file, autoexec.nt,
enabling an attacker to modify or delete it.
http://yoursite.com/webhits.htw?CiWebHits&File=
../../../../../winnt/system32/autoexec.nt
Application Code Errors
A user's browser carries on
an intricate, undocumented protocol interchange with applications on the web
server. To make its job easier, the web server passes context strings to the
user, making the user's browser reply with full context. A problem arises when
the user can modify that context.
To see why, consider our
fictitious shopping site called CDs-R-Us, selling compact discs. At any given
time, a server at that site may have a thousand or more transactions in various
states of completion. The site displays a page of goods to order, the user
selects one, the site displays more items, the user selects another, the site
displays more items, the user selects two more, and so on until the user is
finished selecting. Many people go on to complete the order by specifying
payment and shipping information. But other people use web sites like this one
as an online catalog or guide, with no real intention of ordering. For
instance, they can use this site to find out the price of the latest CD from
Cherish the Ladies; they can use an online book service to determine how many
books by Iris Murdoch are in print. And even if the user is a bona fide
customer, sometimes web connections fail, leaving the transaction incomplete.
For these reasons, the web server often keeps track of the status of an
incomplete order in parameter fields appended to the URL. These fields travel
from the server to the browser and back to the server with each user selection
or page request.
Assume you have selected one
CD and are looking at a second web page. The web server has passed you a URL
similar to
http://www.CDs-r-us.com/buy.asp?i1=459012&p1=1599
This URL means you have
chosen CD number 459012, and its price is $15.99. You now select a second and
the URL becomes
http://www.CDs-r-us.com/
buy.asp?i1=459012&p1=1599&i2=365217&p2=1499
But if you are a clever
attacker, you realize that you can edit the URL in the address window of your
browser. Consequently, you change each of 1599 and 1499 to 199. And when the
server totals up your order, lo and behold, your two CDs cost only $1.99 each.
This failure is an example of
the time -of- check to time-of-use flaw that we discussed in Chapter 3. The server sets (checks) the price of
the item when you first display the price, but then it loses control of the
checked data item and never checks it again. This situation arises frequently
in server application code because application programmers are generally not
aware of security (they haven't read Chapter 3!)
and typically do not anticipate malicious behavior.
Server-Side Include
A potentially more serious
problem is called a server-side include.
The problem takes advantage of the fact that web pages can be organized to
invoke a particular function automatically. For example, many pages use web
commands to send an e-mail message in the "contact us" part of the
displayed page. The commands, such as e-mail, if, goto, and include, are placed
in a field that is interpreted in HTML.
One of the server-side
include commands is exec, to execute an arbitrary file on the server. For
instance, the server-side include command
<!#exec cmd="/usr/bin/telnet
&">
opens a Telnet session from
the server running in the name of (that is, with the privileges of) the server.
An attacker may find it interesting to execute commands such as chmod (change
access rights to an object), sh (establish a command shell), or cat (copy to a
file).
For more web application
vulnerabilities see [HOG04, AND06, and HOW05].
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.