10 Common Types of Website Hacks
– The web server fails to parse the URL properly.
– e.g. the Unicode / Superfluous decode attack.
– Mismatched resource mappings in the configuration.
– e.g. +.htr, .JSP, Java remote command execution, etc.
webOPTIMA FIX: Usually requires entirely new files (java, etc.), Thorough inspection of the web server configuration and bindings
– Ability to retrieve complete directory listing within directories on the web server
– Usually happens when the default document is missing
– Not-so-strict Web server configuration
webOPTIMA FIX: Web server configuration lock-down, Disable serving of directory listings, Sometimes the error may require entirely new java scripting.
RETRIEVING “NON-WEB” FILES
– “Non-web” files can be: Archive files (.zip, .tar.gz, etc) Backup files (.bak, ~, etc) Header / Include files (.inc, .asa, etc) Text files (readme.txt, etc)
– Can be retrieved with some guess work. e.g. if there is a directory called /reports/
look for “reports.zip”
webOPTIMA FIX: Eliminate careless presence of such files. Disable serving certain file types by creating a resource mapping, Strict change control measures.
– Web proxy servers may work both ways!
– Typically meant to allow users from within a network to access external websites
– May end up proxying HTTP requests from the outside world to the internal network
– e.g. Compag Insight Manager
– Usually happens when the front end web server proxies requests to back end app servers
webOPTIMA FIX: Check the web server proxy configuration thoroughly, Check for created URL mappings to internal servers
– Java Bytecode can be decompiled quite effectively
– May disclose sensitive information such as passwords, application paths, etc.
– May also disclose application logic – such as generation of session IDs, encyrption, etc.
– Java Archive files (.jar files) may contain files other than bytecode, such as configuration files.
webOPTIMA FIX: Java bytecode obfuscation, Elimination of sensitive configuration information within bytecode, Elimination of unnecessary files within .jar files
SOURCE CODE DISCLOSURE
– Ability to retrieve application files in an unparsed manner
– Attackers can recover the source code of the web application itself.
– The code can then be used to find further loopholes / trophies
– May be caused by many ways: Misconfiguration or vendor errors, poor application design, etc.
webOPTIMA FIX: Vendor (modules, etc) supplied fixes, Locking down the web server configuration, Secure coding practices
– Root cause of most web hacks
– All inputs received should be validated (data types, date ranges, buffer sizes and bounds, metacharacters)
– Tampering with hidden files
webOPTIMA FIX: These are the worst to deal with. This requires removal of files, rewriting of files, and proper coding practices in order to close the door.
SQL QUERY POSITIONING
– Parameters from the URL or input fiuelds get used in SQL queries
– An instance of Input Validation attacks
– Data can be altered to extend the SQL query. (e.g. http://server/query.asp?item=3+OR+1=1)
– Execution of stored proceedures
– May even lead to back-end database server compromise
webOPTIMA FIX: Pretty in-depth thorough source code review, following the principle of least privilege for the database application, elimination of unnecessary database users and stored procedures, cleanup of all database files for basecode injections
– HTTP is inherently a “stateless” protocol.
web applications are stateful
– Poor mechanisms of state tracking: (Hidden fields carrying a session ID, Client side cookies, … with no server side session tracking)
– Reverse engineering of the session ID leads to access of other users’ data
webOPTIMA FIX: Use server side session ID tracking, Match connections with time stamps, IP addresses, etc., Cryptographically generated session IDs (hard to sequence), Use web application server session management APIs when possible.
– Poor bounds checking
– Web server HTTP requests (e.g. ASP buffer overflow, .printer, etc.)
– Application Input fields
– Can cause: (Denial of service – crashing the app / service, Remote command execution – shellcode)
webOPTIMA FIX: Vendor supplied fixes, Bounds checking within applications, Source code reviews, Buffer overflow testing