11.2 Webserver Attacks

DoS/DDoS Attacks

• Attackers may send numerous fake requests to the web server which results in the web server crash or become unavailable to the legitimate users.
• Attackers may target high profile web servers such as banks, credit card payment geteways, government owned services, etc. to steam user credentials.

• To crash the webserver running the application, attacker targets the following services by consuming the webserver with fake requests:
  • Network bandwidth
  • Server memory
  • Application exception handling mechanism
  • CPU usage
  • Hard disk space
  • Database space

DNS Server Hijacking

• Attacker compromises DNS server and changes the DNS settings so that all the request coming toward the target web server should be redirected to his/her own malicious server.

DNS Amplification Attack

• Attacker takes the advantages of DNS recursive method of DNS redirection to perform DNS amplification attack.
• Attacker uses compromised PCs with spoofed IP addresses to amplify the DDoS attacks on victims DNS server by exploiting DNS recursive method.

利用botnet假冒受害者的IP向DNS server發動請求，最後大量請求回應給受害者造成DoS攻擊。

Directory Traversal Attacks

• In directory traversal attacks, attackers use ../ (dot-dot-slash) sequence to access restricted directories outside of the web server root directory.
• Attackers can use trial and error method to navigate the outside of root directory and access sensitive information in the system.

屬於web server端的攻擊

Man-in-the-Middle/Sniffing Attack

• Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and webservers.
• Attacker acts as a proxy such that all the communication between the user and webserver passes through him.

Phishing Attacks

• Attacker tricks user to submit login details for website that looks legitimate, but it redirect to the malicious website hosted on attacker web server.
• Attacker steals the credentials entered and use it to impersonate with the website hosted on the legitimate target server.
• Attacker then can perform unauthorized or malicious operation with the website target server.

Website Defacement

• Web defacement occurs when an intruder maliciously alters visual appearance of a web page by inserting or substituting provocative and frequently offending data.
• Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected.
• Attackers uses variety of methods such as MYSQL injection to access a site in order to deface it.

Web Server Misconfiguration

• Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft.
  • Sample Configuration, and Script Files.
  • Anonymous or Default Users/Passwords.
  • Verbose debug/error messages.
  • Misconfigured/Default SSL Certificates.
  • Unnecessary Services Enabled.
  • Remote Administration Functions.

Web Server Misconfiguration Example

• This configuration allows anyone to view the server status page, which contains detailed inform ation about the current use of the web server, including information about the current hosts and requests being processed.
  • httpd.conf file on an Apache server:

    <Location /server-status>
    SetHandler server-status
    </Location>
    

• This configuration gives verbose error messages.
  • php.ini file:

    display_error = On
    log-errors = On
    error-log = syslog
    ignore_repeated_errors = Off
    

Keeping the server configuration secure requires vigilance - OWASP

HTTP Response Splitting Attack (?)

• HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two responses.
• The attacker can control the second response to redirect user to a malicious website whereas the other responses will be discarded by web browser.

• Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
• CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
• CAPEC-34: HTTP Response Splitting
• CRLF Injection attacks and HTTP Response Splitting
• 屬於漏洞：蓋掉server的response
• Cache: (結合web cache poisoning)
  • client
  • proxy
  • server

Web Cache Poisoning Attack

• An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache.

SSH Bruteforce Attack

• SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network.
• Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel.
• SSH tunnels can be used to transmit malwares and other exploits to victims without being detected.

SSH: TCP port 22

Webserver Password Cracking

• An attacker tries to exploit weaknesses to hack well-chosen passwords.
• The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc.
• Attacker target mainly for:
  • SMTP servers
  • Web shares
  • SSH Tunnels
  • Web form authentication cracking
  • FTP servers
• Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan Horse or virus, wiretapping, keystroke logging, etc.
• Many hacking attempts start with cracking passwords and proves to the webserver that they are a valid user.

Webserver Password Cracking Techniques

• Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc.
• Passwords can be cracked by using following techniques:
  • Guessing: A common cracking method used by attackers to guess passwords either by humans or by automated tools provided with dictionaries.
  • Dictionary Attacks: A file of words is run against user accounts, and if the password is a simple word, it can be found pretty quickly.
  • Brute Force Attack: The most time-consuming, but comprehensive way to crack a password. Every combination of character is tried until the password is broken.
  • Hybrid Attack: A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt.

    • Dictionay attack + brute force attack

Automated tools: Cain & Abel, Brutus, THC Hydra.

Web Application Attacks

• Vulnerabilities in web applications running on a webserver provide a broad attack path for webserver compromise.
  • Directory Traversal
  • Parameter/Form Tampering
  • Cookie Tampering
  • Command Injection Attacks
  • Buffer Overflow Attacks
  • Cross-Site Scripting (XSS) Attacks
  • Denial-of-Service (DoS) Attacks
  • Unvalidated Input and File injection Attacks
  • Cross-Site Request Forgery (CSRF) Attack
  • SQL Injection Attacks
  • Session Hijacking