Introduction to Ethical Hacking

UNIT -5
Web-Application Vulnerabilities,
and
Web-Based Password
Cracking Techniques
 How Web Servers Work
• Web servers use Hypertext Transfer Protocol (HTTP) and
Hypertext Transfer Protocol Secure (HTTPS) to allow web-based
clients to connect to them and view and download
• files. HTTP is an Application-layer protocol in the TCP/IP stack.
HTTP and HTTPS are the primary protocols used by web clients
accessing web pages residing on web servers on the Internet.
Hypertext Markup Language (HTML) is the language used to
create web pages and allows those pages to be rendered in web
browser software on web clients.
• The HTTP protocol operates as shown in Figure
 Steps Involved In Client and Server Connection
1. The web client initially opens a connection to the web
server IP address using TCP port 80.
2. The web server waits for a GET request from the client
requesting the home page for
the website.
3. The web server responds with the HTML code for the
web serclient processes the HTML code and the web
client’s browser software renders ver home page.
4. The the page on the client device
 Types of Web Server Vulnerabilities
1. Server Misconfiguration attacks - Exploit configuration weaknesses found in
web servers and application servers. Many servers come with unnecessary default
and sample files, including applications, configuration files, scripts, and web pages.
2. Operating System or Application Bugs - including the OS and web
server applications, should be patched or updated on a
regular basis ie Windows Update
3. Automated patches
4. Vulnerable Default Installation -Operating system and web
server software settings should not be left at their defaults
when installed, and should be updated on a continuous
basis
 Attacking a Web Server
• Web servers typically listen on TCP port 80 (HTTP) and TCP port 443
(HTTPS). Because those ports must be open and available to web
clients, any firewalls or packet filtering devices between the web
client and web server .
• Web application software sits on top of the web server software and
allows access to additional ports.
• One of the initial information-gathering steps targeting web servers
is Banner grabbing.
Banner grabbing is a method used to obtain info. about computer systems
and services on open ports, providing details such as software type and
version. It is used by attackers and security teams for enumeration purposes
Some examples of service ports used for banner grabbing are those used by Hyper
Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer
Protocol (SMTP); ports 80, 21, and 25 respectively. The banner grabbing result will
usually identify the web server type and version. This information is important
because exploits against this web server type and version can be identified
 Common website attacks that enable hacker to deface a website
o
Capturing administrator credentials through man-I-T-middle
attacks
o Revealing an administrator password through a brute-force attack
o Using a DNS attack to redirect users to a different web server
o Compromising an FTP or email server
o Exploiting web application bugs that result in a vulnerability
o Misconfiguring web
o Taking advantage of weak permissions
o Rerouting a client after a firewall or router attack
o Taking advantage of weak permissions
o Rerouting a client after a firewall or router attack
o Using SQL injection attacks (if the SQL server and web server are
the same system)
o Using telnet or Secure Shell (SSH) intrusion
o Carrying out URL poisoning, which redirects the user to a
different URL
o Using web server extension or remote service intrusion
o Intercepting the communication between the client and the
server and changing the cookie to make the server believe that
there is a user with higher privileges
 Hacking Internet Information Server

• Windows IIS is one of the most popular web server software products.
Because of the popularity and number of web servers running IIS, many
attacks can be launched against IIS servers. The three most common
attacks against IIS are as follows:
• Directory traversal: Directory traversal, also known as path traversal or
directory climbing, is a vulnerability in a web application server caused
by a HTTP exploit. The exploit allows an attacker to access restricted
directories, execute commands, and view data .
• Source disclosure Attack : Source code disclosure happens when an
unauthorized party gets access to the source code of a web application
or API. This can be caused by web server misconfigurations or
vulnerabilities in the web application or API.
• Buffer overflow Attack: buffer overflow involves sending more data,
usually in the form of a text string, more than the web server is capable
of handling. The primary entry point for buffer overflows is a web form
on the web server
 Patch-Management Techniques
• Patch management plays a critical role in preventing and mitigating the
risk of attack against web servers and web applications. Patch
management is the process of updating appropriate patches and
hotfixes required by a system vendor. In other words Patches are
software and operating system (OS) updates that address security
vulnerabilities within a program or product. Patches are software and
operating system (OS) updates that address security vulnerabilities
within a program or product. Software vendors may choose to release
updates to fix performance bugs, as well as to provide enhanced
security features.
• You should maintain a log of all patches applied to each system. To make
patch installation easier, you can use automated patch-management
systems provided by PatchLink, St. Bernard Software, Microsoft
 Web Server Hardening Methods
• Rename the administrator account, and use a strong password
• Disable default websites and FTP sites.
• Remove unused applications from the server. using Add/Remove on Windows
• Control Panel.
• Disable directory browsing in the web server’s configuration settings.
• Add a legal notice to the site to make potential attackers aware of the implications of
hacking the site.
• Apply the most current patches, hotfixes, and service packs to the operating system and
web server software.
• Perform bounds checking on input for web forms and query strings to prevent buffer
overflow or malicious input attacks.
• Disable remote administration.
• Use a script to map unused file extensions to a 404 (“File not found”) error message.
• Enable auditing and logging.
• Use a firewall between the web server and the Internet and allow only necessary ports
(such as 80 and 443) through the firewall.
Web Application Vulnerabilities and stages
involved
• .
 Web Application Threats and Countermeasures

1. Cross-Site Scripting Cross-site scripting (XSS) is an exploit where the attacker attaches code onto
a legitimate website that will execute when the victim loads the website.
Countermeasure: Validate cookies- Cookies are small pieces of text sent to your browser by a
website you visit. They help that website remember information about your visit, which can both
make it easier to visit the site again and make the site more useful to you.
2. SQL Injection Inserting SQL commands into the URL gets the database server to dump,
alter, delete, or create information in the database. SQL injection is covered in detail in
Countermeasure: Validate user variables.
3. Command Injection The hacker inserts programming commands into a web form.
Countermeasure: Use language-specific libraries for the programming language.
4. Cookie Poisoning and Snooping The hacker corrupts or steals cookies.
Countermeasures: Don’t store passwords in a cookie; implement cookie timeouts; and authenticate
cookies.
5. Buffer Overflow Huge amounts of data are sent to a web application through a web form
to execute commands.
Countermeasures: Validate user input length; perform bounds checking.
6. Authentication Hijacking The hacker steals a session once a user has authenticated.
Countermeasure: Use SSL to encrypt traffic.
7. Directory Traversal- The hacker browses through the folders on a system via a web browser or
Windows Explorer.
Countermeasures: Define access rights to private folders on the web server; apply patches and
 Hacking Tools
Wget is a command-line tool that a hacker can use to
download an entire website, complete with all the
files.
WebSleuth uses spidering technology to index an entire
website. For example, WebSleuth can pull all the email
addresses from different pages of a website.
BlackWidow can scan and map all the pages of a website
to create a profile of the site

Acunetix Web Vulnerability Scanner, contain a list of

Google hacking terms organized in a database(Google
Hacking)
 Authentication Types
Web servers and web applications support multiple authentication types. The most
common is HTTP authentication. There are two types of HTTP authentication: basic and
digest. Basic HTTP authentication sends the username and password in cleartext,
whereas digest authentication hashes the credentials and uses a challenge-response
model for authentication.
In addition, web servers and web applications support the following types of authentication-

NTLM Authentication (Windows New Technology LAN Manager ) --This type

uses Internet Explorer and IIS web servers, making NTLM more suitable for
internal authentication on an intranet that uses Microsoft operating systems.
Windows 2000 and 2003 servers utilize Kerberos authentication for a more
secure option.
Certificate-Based Authentication This type uses an x.509 certificate for
public/private key technology.
Token-Based Authentication A token, such as SecurID, is a hardware device
that displays an authentication code for 60 seconds; a user uses this code to
log into a network.
Biometric Authentication This type uses a physical characteristic such as
fingerprint, eye iris, or handprint to authenticate the user.
 Password Attacks and Password Cracking

The three types of password attacks are as follows:

• Dictionary -Uses passwords that can be found in a
dictionary
• Brute-Force- Guesses complex passwords that use
letters, numbers, and special characters
• Hybrid- Uses dictionary words with a number or
special character as a substitute for a letter
• A password cracker is a program designed to decrypt
passwords or disable password protection. Password
crackers rely on dictionary searches (attacks) or
brute-force methods to crack passwords.
 SQL Injection
• SQL injection occurs when an application processes user-
provided data to create a SQL statement without first
validating the input. The user input is then submitted to a
web application database server for execution. When
successfully exploited, SQL injection can give an attacker
access to database content or allow the hacker to remotely
execute system commands

SQL Servers are very common database servers and used by many organizations to store
confidential data. This makes a SQL Server a high-value target and therefore a system that is
very attractive to hackers.
 The Purpose of SQL Injection

• Some SQL exploits will produce valuable user data stored in the database, and some are just precursors
to other attacks.
The following are the most common purposes of a SQL injection attack:
• Identifying SQL Injection Vulnerability : The purpose is to probe a web application to discover which
parameters and user input fields are vulnerable to SQL injection.
• Performing Database Finger-Printing :The purpose is to discover the type and version of database that
a web application is using and “fingerprint” the database. Knowing the type and version of the
database.
• Determining Database Schema To correctly extract data from a database, the attacker often needs to
know database schema information, such as table names, column names, and column data types.
This information can be used in a follow-on attack.
• Extracting Data These types of attacks employ techniques that will extract data values from the
database.
• Adding or Modifying Data The purpose is to add or change information in a database.
• Performing Denial of Service These attacks are performed to shut down access to a web application,
thus denying service to other users. Attacks involving locking or dropping database tables also fall
under this category.
• Evading Detection This category refers to certain attack techniques that are employed to avoid auditing
and detection.
• Bypassing Authentication Bypassing such mechanisms could allow the attacker to assume the rights
and privileges associated with another application user .
 Finding a SQL Injection Vulnerability

Before launching a SQL injection attack, the hacker determines whether the
configuration
of the database and related tables and variables is vulnerable. The steps to
determine the
SQL Server’s vulnerability are as follows:

1. Using your web browser, search for a website that uses a login page or other
database input or query fields (such as an “I forgot my password” form). Look
for web pages that display the POST or GET HTML commands by checking the
site’s source code.

2. Test the SQL Server using single quotes (‘’). Doing so indicates whether the
user input variable is sanitized or interpreted literally by the server. If the server
responds with an error message that says use 'a'='a' (or something similar), then
it’s most likely susceptible to a SQL injection attack.

3. Use the SELECT command to retrieve data from the database or the INSERT
command to add information to the database.
 SQL Injection Using Dynamic Strings
• Dynamic SQL is a programming technique that enables you to build SQL statements
dynamically at runtime.
• Static or Embedded SQL are SQL statements in an application that do not change at
runtime and, therefore, can be hard-coded into the application. Dynamic SQL is SQL
statements that are constructed at runtime; for example, the application may allow
users to enter their own queries.

• How to pass values dynamically in SQL query?

Dynamic SQL – Simple Example
1. DECLARE.
2. @sql NVARCHAR(MAX),
3. @id NVARCHAR(MAX);
4. -- run query using parameters(s)
5. SET @id = N'2';
6. SET @sql = N'SELECT id, customer_name FROM customer WHERE id = ' +
@id;
7. PRINT @sql;
8. EXEC sp_executesql @sql;
 SQL Injection Countermeasures
When implementing SQL injection countermeasures, review source code for the following
programming weaknesses:

• Single quotes
• Lack of input validation
• Privileges of a user’s connection to the database
• Rejecting known bad input
• Sanitizing and validating the input field
• Buffer overflows are exploits that hackers use against an
operating system or application;
• A buffer overflow exploit causes a system to fail by
overloading memory or executing a command shell or
arbitrary code on the target system.
• The stack and the heap are storage locations for user-
supplied variables within a running program. Variables are
stored in the stack or heap until the program needs them.
• A call stack, or stack, is used to keep track of where in the
programming code the execution pointer should return
after each portion of the code is executed
Steps A Hacker Uses To Execute A Stack-based Buffer Overflow
The following are the steps a hacker uses to execute a stack-based buffer
overflow:

1.Enter a variable into the buffer to exhaust the amount of memory in the stack.

2. Enter more data than the buffer has allocated in memory for that variable,
which causes the memory to overflow or run into the memory space for the
next process. Then, add another variable, and overwrite the return pointer that
tells the program where to return to after executing the variable.

3. A program executes this malicious code variable and then uses the return
pointer to get back to the next line of executable code. If the hacker successfully
overwrites the pointer, the program executes the hacker’s code instead of the
program code
 Buffer Overflow Countermeasures

• A hacker can use a No Operation (NOP) instruction,

which is just padding to move the instruction pointer and
does not execute any code. The NOP instruction is added
to a string before the malicious code to be executed.

• To bypass the IDS, the hacker can randomly replace

some of the NOP instructions with equivalent pieces of
code, such as x++,x-;?NOPNOP.

• Programmers should not use the built-in strcpy(), strcat(),

and streadd() C/C++ functions because they are
susceptible to buffer overflows.