Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Published byVictoria Madison Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2."— Presentation transcript:

1 Web Hacking 1

2 Overview Why web HTTP Protocol HTTP Attacks 2

3 Why Web Attacks? HTTP is the largest fraction of Internet traffic Web (with email) is most common application service imported by local networks More and more devices web enabled or configured Wide range of web attacks available Attacks on other services (such as DNS) may make things worse 3

4 HTTP as a Protocol Protocol is simple Almost entirely stateless Client makes requests Server responds Originally intended to serve static web pages Lots of extensions and applications: dynamic content, forms, multipart pages, video, sound, device control, etc. 4

5 HyperText Transfer Protocol TCP/80 or TCP/8080 Request/Response Stateless (almost) – Cookies give context Requests: request-line headers (host) empty line optional message Request-line: ● GET url ● TRACE url ● PUT url ● OPTIONS ● HEAD url ● POST url ● DELETE url ● CONNECT Response: Status line (404, 200) Message (data) 5 5

6 Sample HTTP Request GET / HTTP/1.1\r\n Host: www.google.com\r\n User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Cookie: PREF=ID=d4889c595edad968:U=3ee2d547a0ff8080:TM=1248621100:LM=124862112 6:S=_-MsPCamw5andO8z; NID=25=Es3pZDrhYCrlhBGm5fJ1Qk7WRNj2gxN- pVzn9z71NGmvJlttvdGEBGbEbnWi10E9KS1AuTdcggT63Yqb9jXUjdnebA7ctOQy- rnY_kPv4WtmGGeDr7onrxKJfbadEW_o\r\n \r\n Start line Blank line Header lines 6 6

7 Sample HTTP Response HTTP/1.1 200 OK\r\n Cache-Control: private, max-age=0\r\n Date: Wed, 29 Jul 2009 12:19:14 GMT\r\n Expires: -1\r\n Content-Type: text/html; charset=UTF-8\r\n Content-Encoding: gzip\r\n Server: gws\r\n Content-Length: 3272\r\n \r\n Google window.google={kEI:"Qj5wSv3GEo yQ8gTKvr2qBQ",kEXPI:"17259,18167,20760",kCSIE:"17259,18167,2 0760",kCSI:{e…..etc. Start line Header lines Blank line Message body 7 7

8 HTTP Attacks Some use of HTTP as an after-attack carrier – Beaconing – Exfiltration – Command traffic Attacks – Information gathering – Script injection – CGI-bin – HTTP Response Splitting 8

9 Information Gathering Header fields Behavior analysis Directory traversal 9

10 Header fields Server fields: Server, Via, X-powered-by, version Client fields: Client, Referer, X-wap-profile Software Versions Formatting files Directory structures Common communication partners 10

11 Behavior Analysis Protocol is not identically supported by server software and operating system stack Particularly true for erroneous requests Can build understanding of which version of software, in some cases, which patch level 11

12 Directory traversal GET../../../../../../../../../etc/passwd HTTP/1.0\r\n http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ After attacker finds useful binaries, execute them directly http://www.example.com/../bin/remail.cgi?from=“bigboss@example.com”&subject=“ create new user shimeall”… Variety of different compromise and engineering attacks 12

13 Script Injection Placing special characters into input data Exploits inputs lacking validation checks SQL most common injection, attacking databases 13

14 Dangers of Script Injection Any site that uses database – Gain admin access – Modify existing data – Enter new data – Disclose data – Destroy data Also possible in HTTP GET/POST commands, some header fields 14

15 Doing Script Injection Put a single quote at end of input If application error, site is vulnerable Example URL and resulting query http://vulnerable.site/login.php?username=admin&password=password SELECT * FROM users WHERE username=‘admin’ and password=‘password’; Example malicious URL and resulting query http://vulnerable.site/login.php?username=foo’ or ‘1’=‘1&password=foo’ or ‘1’=‘1 SELECT * FROM users WHERE username=‘foo’ or ‘1’=‘1’ and password=‘foo’ or ‘1’=‘1’; – forces selection of valid username and password 15

16 CGI-bin Craft URLs that invoke support scripts for malicious effect http://www.example.com/../bin/remail.cgi?from=“bigboss@example.com”&s ubject=“create new user shimeall”… Find scripts via directory traversal or examination of web page source Lots of technical and user-directed attacks possible 16

17 HTTP Response Splitting Can exist in any site that makes use of user input to generate the values of some headers in server responses Can be used for – Web cache poisoning target: reverse proxy – goal: internet-wide defacement target: intermediate cache server – goal: phishing – cross-user defacement target: single browser – goal: targeted phishing 17

18 Normal Redirection Page 18 Example redirection page at /redir_lang.jsp <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %> Example snippet of a redirection response for /redir_lang.jsp?lang=English HTTP/1.1 302 Moved Temporarily [CRLF] Date: Wed, 24 Dec 2003 12:53:28 GMT [CRLF] Location: http://10.1.1.1/by_lang.jsp?lang=English [CRLF] Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 [CRLF] …  User input to the lang parameter is embedded in the Location header

19 Malicious Input 19 Example malicious input /redir_lang.jsp?lang=foobar%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent- Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a Shazam  %0d%0a is URL-encoded CRLF  This would be funneled through the target along with a request to a resource that the attacker wants to control.

20 Example Split Response 20 HTTP/1.1 302 Moved Temporarily [CRLF] Date: Wed, 24 Dec 2003 15:26:41 GMT [CRLF] Location: http://10.1.1.1/by_lang.jsp?lang=foobar [CRLF] Content-Length: 0 [CRLF] [CRLF] HTTP/1.1 200 OK [CRLF] Content-Type: text/html [CRLF] Content-Length: 19 [CRLF] [CRLF] Shazam Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 [CRLF] [Garbage…] /redir_lang.jsp?lang=foobar%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK% 0d%0aContent- Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a Shazam

21 Summary Simple protocol Widest used protocol Growing in popularity among attackers – lots of opportunities – relatively easy to conduct – cookies, server configuration, client configuration, trust Hard to detect Effective 21

Download ppt "Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2."

Similar presentations

World Wide Web Basics Original version by Carolyn Watters (Dalhousie U. Computer Science)

World Wide Web Basics Original version by Carolyn Watters (Dalhousie U. Computer Science)
HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.

Hypertext Transfer Protocol Kyle Roth Mark Hoover.
1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.

1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.
CS320 Web and Internet Programming Generating HTTP Responses

CS320 Web and Internet Programming Generating HTTP Responses
16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.

16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 23 – Internet Applications Internet Directory.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 23 – Internet Applications Internet Directory.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:

CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
Introduction to Web Programming Fall 2014/2015 Some slides are based upon Web Technologies course slides, HUJI, 2009 Extended System Programming Laboratory.

Introduction to Web Programming Fall 2014/2015 Some slides are based upon Web Technologies course slides, HUJI, 2009 Extended System Programming Laboratory.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
COMP3016 Web Technologies Introduction and Discussion What is the Web?

COMP3016 Web Technologies Introduction and Discussion What is the Web?

Similar presentations

Ads by Google