The document discusses various techniques for hacking web applications and web services, including: 1. Profiling infrastructure, attacking authentication and authorization, exploiting data connectivity, attacking client-side vulnerabilities, and denial of service attacks against web applications. 2. Using automated scanning tools to discover servers, services, and vulnerabilities. Common vulnerabilities in Apache, SQL injection, and insecure web service descriptions are described. 3. Attacking web application management interfaces through insecure protocols like Telnet and exploiting features like WebDAV that allow remote file manipulation.

1. Web Security

3. Automated vulnerability scanning software

4. Common vulnerability by platform : Apache

5. SQL Injection

6. Attack web service

7. Hacking web application management

9. Attack web server

10. Survey the application

11. Attack the authentication mechanism

12. Attack the authorization schemes

13. Perform a functional analysis

14. Exploit the data connectivity

15. Attack the management interfaces

16. Attack the client

17. Launch a denial-of-service attack

19. What transports does it use ?

20. Over which ports ?

21. How many servers are there ?

22. Is there a load balancer ?

23. What is the make and model of the Web server

24. Are external sites relied on for some functionality ?

26. The sheer number of Web server software vulnerabilities that have been published makes this one of the first and usually most fruitful areas of research for a Web hacker.

29. Spoofing token within a cookie

31. Requesting hidden objects with guessable names

32. attacks, escalating privileges, and tunneling privileged commands to the SQL server

34. Attempted fault injection is central to software security testing

35. referred to as input validation attacks

37. Web developers tend to focus on the most efficient way to make this connection,rather than the most secure.

40. since there have been some devastating attacks against the Web user community over the years, including cross-site scripting.

42. t is typically carried out by issuing a flood of traffic to a site, drowning out legitimate requests

43. AUTOMATED VULNERABILITY SCANNING SOFTWARE

45. Registered DNS domain names and related data

46. Administrative contact for an Internet presence

47. #whois -h whois.crsnic.net mthai

48. #whois -h whois.crsnic.net mthai.com

52. TCP scanport call “TCP SYN scans”

53. Obviously, Web Server are used few service port to acting Web.

57. D:gt; fscan -qp 80,81,88,443, 8888,9090,10000 192.168.234.1-254 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 15 15:13:33 2002 192.168.234.1 80/tcp 192.168.234.34 80/tcp 192.168.234.34 443/tcp 192.168.234.34 8000/tcp 192.168.234.148 80/tcp 192.168.234.148 443/tcp 192.168.234.148 8000/tcp Scan finished at Fri Feb 15 15:14:19 2002 Time taken: 4826 ports in 45.705 secs (105.59 ports/sec)

60. dummycert.pem a certificate to be used in connection with ssl.

62. COMMON VULNERABILITIES BY PLATFORM : Apache

65. The concept is simple

66. but requires a few trial runs to perfect against a server.AURL with a large number of trailing slashes

67. Note that most Apache servers cannot handle at all aURLlonger than about 8,000 characters.

71. But, The attack can be performed directly on the URL with a browser or from the command line using netcat

74. Unnecessary files include password files, developer notes, old data, backup versions of the site, and any file that will never be touched by a browser or required by the application.

77. Unfortunately, it is not easy to identify when a server is using mod_rewrite, or if the configuration is vulnerable.

78. A vulnerable server has a RewriteRule that maps a URL to a local page that is referenced by it's complete pathname.

80. A vulnerable rule :

81. RewriteRule /more-icons/(.*) /home/httpd/icons/$1

82. A rule that is not vulnerable :

83. RewriteRule /more-icons/(.*) /icons/$1

86. SQL INJECTION

88. No particular database vendor is more secure than another against these exploits.

89. SQL server is just more equal than others!

91. A common SQL structure uses the tick to delimit variables within the query strSQL = "select userid from users where password = '" + password + "'";

94. The unclosed quotation mark indicates a vulnerable query. Plus, the error contains “@UserID=182”, which provides us with a field name and the specific UserID we have been assigned.

96. That the data are being passed to a stored procedure named getAdminHome1.

98. SQL injection has been relegated to a minor input validation error.

100. Generate an ODBC error once more, but the @UserID variable has not been declared. This drives home the point of how difficult it is to break a stored procedure.

101. The SiteID variable is placed into the SiteID portion of the SQL statement.

103. can change our UserID. Unfortunately, there are now two UserID parameters in the function call.

107. the best way to accomplish this is through the “try, catch, finally” method of exception handling.

109. String concatenation is the bane of a secure SQL statement because it provides the easiest way for a user to manipulate the statement with tick marks.

110. Input validation should be performed on the Web server and items in the database should be strongly typed.

111. A field that only uses numeric values should be a type INT, not a VARCHAR.

113. Improved performance is often a byproduct of stored procedures.

115. Also, the user account that the Web server uses should have limited functionality.

116. Doesn’t have to write to the Master database or perform backup duties

118. ATTACKING WEB SERVICE

120. It will be run applications from other applications (php, asp, java, python) through web pages.

121. Service of a document that describes WS features of Corporate Services.

122. And offered the public aware WS users can search without having to know physical address of an application or program.

123. Web Services is a new generation of services in the web industry. Users simply pull services On the Web. Language is the core of the Web development XML.

125. SOAP (Simple Object Access Protocol) protocol to run Component to run across a cross-platform, cross language (asp.net, c #, php, perl, java, python, delphi). this protocol works with HTTP protocol and message format to communicate with language XML.

128. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).

129. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.

131. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).

132. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.

133. The <service> element defines the endpoint for the service (a URL).

136. To publish a deployed Web service using DISCO, you simply need to create a .disco file and place it in the Web service’s virtual root directory (vroot) along with the other service-related files (such as .asmx, .wsdl, .xsd, and other file types).

137. The .disco document is an XML document that contains links to other resources that describe the Web service, much like a WSDL file containing the interface contract.

142. XML Encryption A companion to XML Signature, it addresses the encryption and decryption of XML documents and portions of those documents.

144. Security Assertion Markup Language (SAML) Format for sharing authentication and authorization information.

146. Hacking Web Application Management

148. SSH1 also vulnerable to attack makes it easy. You should use SSH2 to which the security is higher.

152. The only exception we’d make to this rule is if access to the FTP service is restricted to a certain small range of IP addresses.

154. There is a utility called Secure Copy (scp) that is available to connect to SSH services and perform file transfers right over (authenticated and encrypted) SSH tunnels.

156. POST Used to post files to collections (this is a standard HTTP method that will likely see different use with WebDAV).

157. DELETE Need we say what effect this might have?

158. PUT Another standard HTTP method that is leveraged by WebDAV to upload content.

159. MOVE If unable to deface a Web server, hackers may just move the content around.

160. COPY Yes, it has an overwrite feature.

161. Question ?