Scope of article
Websites are no longer a means to have internet presence today, but are also used for commercial transactions and sensitive data transfers. Wider usage of internet helps hackers gain more knowledge on vulnerabilities and exploitation techniques than before. Various studies by security experts show that hacking websites to gain fame or money is definitely on rise. This article is the next in this series to explain various web vulnerabilities and discuss attacks exploiting them. We will also learn few techniques which could be incorporated by system administrators to protect web infrastructure.
Web Server Basics
Because of its ease of availability, hacking a website is something that can easily be done and hence favored by hackers. A novice hacker may attempt to steal data from a website, whereas a pro-hacker may cause serious damage by either defacing the webpage or using the web server to spread a virus. Unlike most other attacks, the techniques used in web attacks range from Layer 2 to Layer 7, thus making the web server prone and susceptible to a wider variety of possible hacking attempts. Since the firewall port must be opened for web service (default port 80), it cannot help in preventing Layer 7 attacks, making detection of web attacks difficult. Please refer to Fig 2, which shows typical components used to form web portal infrastructure. From the security perspective, each of these components does exhibit some vulnerability, which if exploited can result into hacking of web content. Let us now discuss some common and yet dangerous attacks in details.
DoS & sniffing – Since the website is hosted on an IP address which is open to internet, a denial of service attack can easily be planted to take the web server down. Similarly, packet sniffing can be easily used to decipher plain text user ids and password over the wire, if enough security measures are not taken during web designing, to encrypt those. Almost all Layer 2 and 3 attacks such as packet flooding, SYN flooding etc, are possible on a website IP and port on which it is hosted.
HTTP DoS attack – Unlike a network layer based denial of service attack, HTTP DoS attack works at Layer-7. In this type, the web site is programmatically crawled to get a list of pages to be accessed, also by noting down the time required by web server to process each of the pages. Only those pages which require higher processing time are selected and multiple HTTP requests are sent to the web server, each one requesting one of those selected pages. Since the web server is supposed to cater and respond to each request, it starts consuming resources and upon reaching the resource limits, it eventually gives up and stops responding. Hackers are found to be using simple scripts to create a flood of HTTP GET requests to achieve this attack. If the website being hacked contains only static simple HTML pages, this attack does not work very well, however if the page being accessed pulls data from a backend database server and sends the data to browser, this attack can unfortunately create considerable damage. While this attack may or may not result in data theft, it certainly shuts the website down creating a bad user experience and a reputational damage. Intelligent techniques are required to be deployed, to detect and stop this attack, we will learn about it shortly.
Access control exploitation – Usually in the case of web portals, a user is given an id and a password to login and perform certain functions. The portal administrators are also given their own credentials to perform maintenance and data management. If the web services and applications are not designed to be secure from coding perspective, hackers can exploit those to gain elevated privileges. For example, if a web server is not patched with latest security fixes which may result into a remote code execution, hacker can possibly write a script or program to exploit that vulnerability and gain access to web server and control it remotely. In some cases this can happen because the best coding and security practices are not followed which leaves holes in security configuration, making the web solution susceptible to the attacks.
Forms input invalidation – Many website use forms which are filled up with information by the website users and submitted to the server. The server then validates inputs and saves it to the database. The validation process is sometimes delegated to the client browser, or to the database server. If these validations are either not strong enough, or not properly programmed, those can leave security holes which are exploited by hackers. For example, if a field such as PAN number is mandatory and if the validation for duplicate entries is not done properly, the hacker can programmatically submit forms with dummy PAN numbers, thus flooding the database with bogus entries. This can eventually help hacker in planting a denial of service attack, by simply querying the webpage asking for entries which does not exist.
Code exploitation – While this type is bit similar to the previous one, there is some difference in the way hackers exploit the situation. Many times programmers assume things while setting limits for various user inputs. Typical examples are, assuming that user name will never exceed 50 characters, or assuming that the numeric values will always be positive numbers etc. These assumptions are dangerous from security standpoint, because hacker can exploit those; for example by filling the name field with 100 characters, thus putting a stress on the datasets, or providing negative integers in the numeric fields to create incorrect calculation results.
All the attacks mentioned above, are used by novice hackers and following good programming practices can help stop them. Let us now take a look at technically advanced attacks which are also commonly used in today’s web hacking.
Cookie poisoning – As explained earlier, cookies are a small information snippet which resides on the browser and is used to store user session specific information. It’s the cookie which remembers our shopping cart contents, our preferences and the previous login information, in order to provide a rich web experience. While it is not very easy to tamper with a cookie which resides on the client machine’s hard drive, an advanced hacker can gain control to it and manipulate its content. Poisoning is achieved via a Trojan or a virus which sits in the background and keeps forging cookies to gather user’s personal information and send it to the hacker. Besides this, the virus can also alter contents of cookie to result into serious problems such as, submitting shopping cart contents to deliver the purchased items to a dummy address accessible to hacker, or to let browser connect to advertisement servers which helps hacker gain money etc. If session information is stored in the cookie, advanced hackers can gain control to it and steal session, causing a man-in-the-middle attack.
Session hijacking – A web server talks to multiple browsers at the same time, to take requests in and to deliver the requested content back. While each connection is made, the web server needs to have a means, to maintain uniqueness for each connection. It uses session tokens for this purpose which is a dynamically generated text string, and is factor of IP address, date and time etc. Hackers can steal this token either by guessing programmatically or sniffing on the network, or by performing a client side script attack on a victim computer. Once stolen, this token can be used to create a fake web request and steal victim user’s session and information.
URL query string tampering – Websites that pull data from a database server and show it on the web page are often found to use query strings in the main url. For example if the website url is www.a.com, it may use www.a.com/showdata?field1=10&field2=15 to pass field1 and field2 as parameters with their respective values to the database, and the resultant output is provided to the browser in the form of web page. Having this query string format exposed so easily, it is possible for user to edit and alter field values beyond the expected limits, or fill with junk characters. It can further result into user gaining access to information which he is not supposed to get. In a worse case, if the field values are userid and password, a brute force dictionary attack can be used to gain system level access, merely over HTTP.
“<script> alert (‘You are in trouble’) </script>
SQL Injection – As we saw earlier, web portals use database servers in the backend, whereby the web page connects to database, queries for data, and presents the fetched data in a better web format to the browser. SQL injection attack can occur if the input on client side is not filtered appropriately, before it is sent to the database in a query form. This can result into a possibility of manipulating SQL statements, in order to perform invalid operations on the database. A very common example for this attack would be of a sql server which is accessed by web application, wherein the sql statements are not filtered by some middleware or validation code component. This can lead to hacker being able to craft and execute his own SQL statements on the backend database server, which could be simple SELECT statements to fetch and steal data, or could be as serious as dropping an entire data table. In another case, the data can be corrupted by populating record sets with malicious and fake content. Despite of the fact that there is an increasing awareness about cyber security, SQL injection attack is still found to be present in many websites.
While it is impossible to cover all the possible attacks in this article, let us take a look at couple of less known attacks which are increasingly being used in the website exploitation.
Slow HTTP attack – While this one is similar to the denial of service attack, the technique is bit different. It exploits a fact that each HTTP request must be listened to, by the web server. Every web request starts with a field named content-length which tells server how much bytes to expect, and terminates with a carriage return and line feed (CRLF) character combination. The HTTP request is initiated by hacker with a large value for content-length field and instead of sending the CRLF to conclude the request; it is simply delayed by sending very small amounts of bytes to the web server. This tends to make web server think, that there is some more data yet to come in order to complete the request, thus consuming the web server resources. If the request is delayed to a time limit just less than the session timeout setting on the server, multiple such slow requests can completely consume the resources and create a denial of service attack. This can be achieved merely by creating slow and delayed requests from one single browser, which makes it dangerous from security perspective.
Cryptographic exploitation – Secure websites use SSL certificate based technology to encrypt data flowing over the network. This leads to an illusion that everything is safe, which is unfortunately not the case. Many shopping cart applications forget to further encrypt the cookie contents, and leave those in plain text. Though the data theft over the wire is protected by SSL, running a client side script to intercept cookie and read its content can potentially result into data or session theft. As for SSL, modern hackers use tools to detect and break into weaker cipher algorithms, thus rendering SSL protection useless, though this is not very common.
Protecting FOSS systems
Apache running on Fedora and Ubuntu has gained great popularity among serious FOSS web infrastructures and solutions. The very first step is to harden the Apache web service itself; there are numerous guides and examples on internet on that, for each Linux distro with examples. Disabling ports other than the web service port, and stopping and disabling unnecessary services is highly recommended. Deploying a well configured firewall or an intrusion detection device is essential. As mentioned earlier, a simple firewall is not sufficient, hence a content filtering firewall equipped to detect web layer attacks is required. Securing web portals is not limited to the web server, but also extends to the components such as database servers, web services etc. From network security stand point, allowing IP connections to database only from the front end web servers is a good idea. Running root kit detectors, antivirus tools and log analyzers must be a routine job to catch hacking attempts. For advanced security between the middleware and web server, a stronger authentication mechanism should be in place too. Cookies should be encrypted and the SSL deployed, should be the one with stronger cipher algorithms.
From coding perspective, as we learnt earlier, it is essential to use secure programming techniques and also to follow best security practices such as code review and penetration testing. Additional processes such as input code validation, server and database side validation is recommended too. Web exploitation is a commonly found way of attacking websites. Due to its easy availability and programmability, FOSS infrastructure is also susceptible to such attacks and hence the network administrators must understand techniques to protect their infrastructure from information loss or theft.