1. Web Hacking & Defensing
경기대 GRRC 초청세미나
3월 16일 (목) 2017
윤병남 박사

2. 학력: 전자공학사, 정보통신석사, 컴퓨터박사
경력:
ㅇ미국 Sperryrand UNIVAC㈜ 컴퓨터 엔지니어 1974~1978
ㅇ삼성전자㈜ 전자교환기 과장 1978~1982
ㅇ전자통신연구원(ETRI) 소프트웨어연구부장 1982~1999
ㅇ정보사회진흥원(NIA) 국가정보화센터 단장 1999~2009
ㅇ한국외국어대학교 정보통신학부 겸임교수 1999~2008
ㅇ경기대학교 컴퓨터과학과 겸임교수 1989~2004
ㅇ경기대학교 컴퓨터과학과 산학협력 부교수 2010~2016

3. 한국통신학회 통신소프트웨어 초대회장
BPM워크 풀로우 포럼 초대 회장
2003 전자상거래협의회 공동의장
(현)IEEE/ICACT국제학술대회 조직위원장
2007 (현) 글로벌IT연구회 회장
2010 (현) IEEE/TACT 국제 저널지 편집장
저서: 차세대 지능망 기술(홍릉출판사)
아웃소싱 기법(홍릉출판사) 외 다수
상훈: 대통령 산업포장 (초고속국가망구축 공로, )       
한국통신학회 공로상 (학회발전공로, ) 와 다수

4. Content
Web Data Communication
Web Log Analysis
Web Hacking Tools
Wrap Up

5. Learning Point : Clear Concept
1. Web Communication : HTTP Protocol
- Create Cyber Space : HTML, HTTP, SSP, Browser
2. Web Hacking Tool : Paros, WireShark
– Open Source for Web Vulnerability Measure
3. Web Log Analysis
– Fundamental Knowledge of Hacking Type Analysis
4. Web Defensing Know-How
- Become a Cyber Soldier – Cyber Salvation Army

6. Internet Logical Architecture  3 Domains

7. Server Domain  Intranet Logical Architecture

8. Server Platform  Web Programming Environment
Chronicle : HTML + [ASP Platform(MS)  JSP Platform(Sun) HPH Platform(Open Source)]

9. Internet Domain  End-to-End Delivery

10. Internet Domain  End-to-End Delivery
Source
Destination
Applications
TCP IP
Ethernet, FDDI, etc
Applications
TCP IP
Ethernet, FDDI, etc
TCP IP
Ethernet, FDDI, etc

11. Internet Domain  Packet Capture
Applications
TCP IP
LAN Technologies: Ethernet, FDDI, etc
Source
Destination

12. Client Domain  Browser (UA :User Agent)
– Cyber Space Shuttle (1993 Netscape Navigator)  Chromeffects
Chronicle : Netscape (NCC)  IE (MS) Chrome (Google: Open Source)
Client
Access
Webpage
Web
Browser
User

13. Client Domain  Browser Engine
웹 브라우저
URI/URL
HTML
Hyperlink/
Hypermedia 13

14. Client Domain  Browser Engine

15. Browser Engine  Service Protocols
URL형식 : Protocol://Host Domain/Path/Webpage
URL의 종류
HTTP : 웹에서 주로 이용 예)
FTP : FTP 서비스 이용시 사용
예) ftp://ftp.uu.net
FILE : 자신의 컴퓨터에 서 파일 읽음
예) file://c:\autoexec.bat
Gopher : Gopher 서비스를 웹을 이용하여 검색함
예) gopher://cair-archive.kaist.ac.kr/70/
Telnet, News, Mailto : 텔넷과 뉴스그룹, 전자우편 서비스
예) telnet://swallow.yonsei.ac.kr
예) news://news.nownuri.net/han.comp 예) 15

16. HTTP (Hyper Text Transport Protocol)
Client
Server
Access
Webpage
Web
Browser
Web
Server
HTTP Request Webpage
HTTP Response Webpage
User

17. HTTP (Hyper Text Transport Protocol)
1. Web Browser request Webpage
4. Execute HTML Engine & Java Script
2. Server Process
3. Response Webpage
Show up Screen
Translate HTML
Process
Web Program
Response
HTML
Webpage
Connect, Session Start
Request Webpage (URL/URI)
HTML File
Response (HTML File)
Disconnect, Session End

18. Reuse Image File in Cash
HTTP (Hyper Text Transport Protocol)
Client
Server
Translate HTML
Show up Screen
Process Web
Program
File
Connect(Session Start)
Request Webpage(URL)
HTML File
Response(HTML File)
Disconnect(Session End)
Reuse Image File in Cash
Otherwise
Request
Connect (Session Start)
Process
Image
Program
File
Image File
Request Image (URL/URI)
Response (Image File)
Disconnect(Session End)

19. What is Web Browser & Server doing ?  Web doing ?!
3 Step Procedure
Webpage
Webpage Components
Step 1. Session Start
Step 2. Data Communication
Step 3. Session End
 HTML, CSS, Java Script, Cookie, …
Server-Side Script : ASP, JSP, PHP, …
SQL DBMS Language
 Embedded Multi-Media Languages
: Audio, Video, Image, Streaming Service
: File Upload, Download
: Send & Receive
: CSV, Excel file between DBMS, … etc.
Components

20. HTTP : Step 1. Session Start Procedure
Server
Client
Ready to Service
HTTP Request Webpage
1. Request Connection
(send SYN)
2. Accept Connection
(Send SYN, ACK)
3. Confirm Connection
(send ACK) + WS
4. Session Start

21. TCP Protocol Packet Format
Code - Flag Bits
( Packet Control Code)
URG : Urgent Packet
ACK : Acknowledgement of Message Received Well
PSH : Push Request Task
SYN : Data Communication Session Creation
FIN : Graceful Session End Request
RTS : Emergent Session End Request

23. Cyber Space Protocol – HTTP : Step 2. Data Communication Procedure
Web Server
User (Browser)
Ready to service
1 . Give Webpage
( Send + PSH , ACK)
2. TCP Checksum Routine
(send ACK) + WS
. Repeat until Completed

27. Cyber Space Protocol – HTTP : Step 3. Session End Procedure
User (Browser)
Web Server
1. FIN-WAIT 1
(send FIN, ACK)
Request Disconnection
2. CLOSE-WAIT
(send ACK)
3. FIN-WAIT 2
4. LAST ACK
(Send FIN, ACK)
5. TIME WAIT
(send ACK)
6. Session End
Global Client-Server Communication Protocol

28. WireShark : Protocol Analyzer – Open Source

29. Network Security - Wired Sniffing 실습
Wireshark (Ethereal)
가장 대표적인 Network Analyzer
오픈 소스
강력한 필터 기능이 특징
WinPCAP library와 driver 이용
SuperScan
간단한 포트 스캐너
SYN attack으로 포트 검색

30. HTTP Protocol HTTP Request Message Header Body Web Server
User (Browser)
HTTP Response Message
Header
Body

31. HTTP Protocol – Message Format
Header :
HTTP Method + Host Domain +
Client Platform Information
White Space One Line as Separator
Body :
Whole Parameters & Data

32. HTTP - GET Method Request Massage
○ HTTP GET Method Format (Message Header Only)
○ Message Size : Max 2K Byte Data Length?!
Method
Format
Description
GET
GET [request-uri]?query_string HTTP/1.1
Host:[Hostname] or [IP]
GET Method request Webpage to Server with URI(URL) in its Message Header Part.
: URL Window in Browser
URL/URI(Universal Resource Identification/Location)
: Bulletin Board
URL/URI Query String

33. HTTP – GET Method Request Message
HTTP Method
Massage Header Part
Massage Body Part is Empty

34. HTTP – GET Method Request Message
1. GET /index.html HTTP/1.1
// Request Method, Webpage, HTTP Version
2. User-Agent: MSIE 6.0; Windows NT 5.0
// User’s Web Browser; Platform Version
3. Accept: text/html; */* // Acceptable Data Type
4. Cookie: name = value // User Authenticate Information
5. Referer: // Previous passage URL
6. Host: // Request Domain

35. HTTP – Post Method Request Method
○ HTTP Post Method Format (Header + Body)
Message Size : No limit ! ( Enough to Form based Webpage, BBS, etc.)
Method
Format
Note
POST
POST [request-uri] HTTP/1.1
Host:[Hostname] or [IP]
Content-Length:[Bytes]
Content-Type:[Content Type]
[query-string] or [Data]
Data Communication of Form Based Web Page with Various Data & Parameters.
Browser can’t show up it at URL Window!
One White Space Line
○ ( http Header)
URI
BID=notice Query String ( http Body )

36. HTML - Form based Web Program Language

37. HTML - Form based Web Program Language
HTTP Method
Header Part
Body Part

38. HTML - Form based Web Program Language
Header Part
Session(Cookie)
Body Part

39. HTTP – Response Massage Format
1. HTTP/1.1 OK // http version, Response Status Code
2. Server: NCSA/ // Web Sever version
3. Content-type: text/html // MIME Type (Multipurpose Internet Message Extensions)
4. Content-length: // HTTP Message Body Size
5. <html>
<head></head> // Requested HTML Webpage
<Title>http protocol</Title>
<body>
The understanding of http protocol
</body>
</html>
Header Part
One Empty Space Line as Separator
Body Part

40. HTTP – Response Massage Format
HTTP Response Status Code

41. HTML - Form based Web Program Language

42. HTTP Response - Status Code
Request(URL/URI)
Response(Status Code)
200 : OK, Request Success
201 : File Created in Server
302 : Moved to Webpage (Previous Webpage)
304 : Used Local Cache Info.
401 : Fail Authenticate
403 : Denied Access
404 : Not Exist Webpage
500 : Severe Error (DB Access Error  Injection)
Web Server
Web Browser 42

43. Web Programing Method – Stateless? Banking Service Work Flow
Cyber Space Huge Users – Challenge : User Authentication Method
POC
Client
Login
= Thomas
Sever
Money Transfer
POC
= Who?
POC
Confirm Balance
= Who?
…..
POC
Log Out
= Who?
Banking Service Work Flow

44. Web Programing Method – Cookie?
Server
User
Authenticate
Client Keeps
Cookie
POC
Login
= Thomas
POC
Money Transfer
= Thomas
POC
Confirm Balance
= Thomas
…..
POC
Log Out
= Thomas

45. Web Programing Method – Cookie?
Criteria
Persistence Cookie
Session Cookie
Storage
Disk File
Browser Memory
Life Time
Time-Out Value,
Delete by User
Browser End
When Initial Website Connection
Send Cookie
No Send Cookie
Usage
Reconnect Website
Access Webpages

46. Web Programing Method – Cookie?
Hidden Parameter
Cookie
Session
Name, Password, Data
+UA
++Session ID
No Expire Time
Time-Out
Browser End
Very Simple
Secure
Very Secure
Store in Client
Critical Date in Server

47. Web Programing Method – Cookie?
1. Initial request Webpage
4. Store Cookie
5. Request Webpage + Cookie
2. Create Cookie
3. Send Cookie
6. User Authenticate
Client
Show up Screen
Translate HTML
Process
Web Program
Response
HTML
Webpage
Server
Connect, Session Start
Request Webpage (URL/URI)
Response (HTML File)
Disconnect, Session End

48. Cookie Programing Methods : Hidden Parameter from Server

49. Stateless Web Programing Methods : Cookie + Session ID

50. Cookie Programing Methods : User Authenticate

51. Cookie Programing Methods : User Authenticate

52. HTTP - Response Status Code
Request(URL/URI)
Response(Status Code)
200 : OK, Request Success
201 : File Created in Server
302 : Moved to Webpage (Previous Webpage)
304 : Used Local Cache Info.
401 : Fail Authenticate
403 : Denied Access
404 : Not Exist Webpage
500 : Severe Error (DB Access Error  Injection)
Web Server
Web Browser 52

53. Web Log Analysis Scan

54. Hacking Concept - HTTP Intercept
Normal
Access
Request
Response
User (Browser)
Web Server
1. Request
2. Modified Request
4. Modified
Response
3. Response
Hacking Tool 54

55. Hacking Points?!  Acquisition Root Right, Data, etc.
User Authenticate
 Cookie & Session Data
File Upload
 Server Side Script file
File Download
 System Backup file
SQL Injection
 Private Member Data
Cross-Site Scripting (XSS)
 Bulletin Board Injection

56. HTTP Intercept Tool - Paros!!
Paros Client Proxy Capability
HTTP Analysis Capability
Web Server Hacking
Vulnerable Point Analysis

57. HTTP Intercept Tool – Paros Installation !!

58. HTTP Intercept Tool – Paros Installation !!

59. HTTP Intercept Tool – Paros Installation !!

60. HTTP Intercept Tool – Paros Installation !!

61. Paros Developed for x86 environment only

62. Paros Execution

63. Paros is Java Application
Short Cut to Javaw.exe

64. JAVA Installation
Paros needs JDK

65. JDK Installation !!

66. JDK Installation !!

67. JDK Installation – x86

68. JDK Installation !!

69. JDK Installation Completed !!

70. JDK Installation x86 - Confirm !!

71. JDK Installation - Confirm !!

72. PAROS Execution

73. PAROS Execution

74. HTTP Intercept – PAROS Ready to Use!
Normal
Access
Request
Response
Web Server
User Proxy
User (Browser)
2. Modified Request
1. Request
4. Modified
Response
3. Response
PAROS

75. Cyber Space Hacking Tool – Paros
○ Paros Main Functional Modules
1. Crawl : Collect URL Structure, Webpage Information
2. Scan : Find Vulnerable Pattern by Collected Information
3. Report : Report Vulnerable Points
4. Proxy : Provide HTTP Proxy Platform

76. Proxy Server Setting
IE Browser

77. Proxy Server Setting
IE Browser

78. Proxy Server
Setting
Chrome Browser

79. Proxy Server
Setting
Chrome Browser

80. Proxy Server
Setting
Chrome Browser

81. Proxy Server
Setting
Chrome Browser

82. Setting Paros Local Proxy : Tools>>Options>>Local Proxy

83. Web Port Number  Jump to Pertinent Service Program

84. Web Port Number(16bits-64k)  Assigned Service Handler
IANA:
Internet Assigned
Numbers Authority

85. Paros Scanning HTTP Request HTTP Response Header part Crawl Structure
Body part
Crawl Information
URL/URI
Web Log Information

86. Paros modify HTTP Data

87. Paros intercept &
modify HTTP Data

88. Paros intercept &
modify HTTP Data

89. Paros Demonstration ! http://www.skku.edu/index_pc.jsp >>global
GET HTTP/1.1
GET HTTP/1.1
Hack

90. Wrap Up! Stateless Web Programming - Cookie HTTP GET and POST Method
Paros, WireShark Tool Capability
Hacking & Defensing

91. Web vulnerabilities - OWASP top 10
OWASP : Open Web Application Security Project
#1 SQL Injection
#2 Broken Authentication and Session Management
#3 XSS: Cross-Site Scripting
#4 Insecure direct object reference
#5 Security misconfiguration
#6 Sensitive data exposure
#7 Missing function level access control
#8 Cross-site request forgery
#9 Using components with known vulnerabilities
#10 Invalidated redirects and forwards

92. Financial
Healthcare
Manufacture
Retail
Technology
Government