CEHv12-13 - Web Application Hacking - Hacking Web Servers

Web server basics

A web server is a network service that delivers web applications and pages to users. Web servers are crucial for ethical hackers to understand, including their components, vulnerabilities, and security measures.

Common web server software

1. Apache: Most widely used open-source web server. Stable, free, and highly configurable.
2. Nginx: Known for its performance and efficiency in handling concurrent connections. Often used for load balancing and reverse proxying.
3. IIS (Internet Information Services): Proprietary Microsoft server software. Integrated into Windows Server with advanced features for Windows-based environments.

Web server components

1. Document root: directory where the primary website files (e.g., index.html) are stored (e.g. /var/www/html for Apache).
2. Server root: location for configuration files, logs, and supporting scripts (e.g. /etc/apache2/ for Apache servers).
3. Virtual directories: remote or external storage locations for website content.
4. Virtual hosts: allows hosting multiple websites on a single server using distinct domain names (e.g. admin.example.com for admin access).
5. Web proxies: handles requests between clients and servers, filtering traffic for security or performance purposes.

Common web server vulnerabilities

1. Outdated software: unpatched operating systems, web servers, or applications expose known vulnerabilities.
2. Default configurations: default usernames, passwords, or file locations are often exploited.
3. Poor authentication mechanisms: weak or absent authentication controls allow unauthorized access.
4. Misconfigurations: incorrect permissions or settings can expose sensitive data.
5. Software vulnerabilities: security flaws in CMSs (e.g., WordPress) or web applications can be exploited.

Countermeasures and mitigations

1. Network design:
   • DMZ (DeMilitarized Zone): isolates public-facing servers from internal networks.
   • Network Segmentation: limits access and damage in case of a breach.
   • Firewalls: use Web Application Firewalls (WAFs) to filter traffic based on HTTP/HTTPS rules.
2. Security practices:
   • Patches and updates: regularly update all components, including server software and applications.
   • Change defaults: avoid default credentials and file locations.
   • File permissions: set restrictive permissions to limit access.
   • Secure coding: filter user input to prevent injection attacks (e.g., SQLi, XSS).
3. Additional measures:
   • Encryption: use HTTPS and other encryption protocols for secure communication.
   • Honeypots: detect and analyze attacker behaviors.
   • Error handling: avoid detailed error messages that expose sensitive information.

Web server attacks

Web servers are critical components of modern infrastructure but are frequent targets for attackers.

Types

1. Denial of Service (DoS/DDoS): overwhelms a server with excessive traffic, making it unavailable to legitimate users (e.g. targeting enterprise websites, like Amazon, can result in significant financial losses).
2. Directory traversal: exploits vulnerabilities to navigate beyond the web root directory into the server’s file system (e.g. accessing /var/www/admin/settings.php to retrieve database credentials).
   • Technique: using ../ to move up directory levels and access sensitive files like etc/passwd.
   • Impact: exposes configuration files, logs, or sensitive data stored on the server.
3. Phishing: cloning a website to trick users into providing credentials or downloading malware.
   • Method:
     • Craft a phishing email or text with a link to a fake website.
     • Harvest user credentials when they attempt to log in.
   • Impact: compromised user accounts or malware infection.
4. Defacement: attackers alter a website’s front page to display messages, slogans, or images.
   • Common Targets: Organizations targeted by hacktivists.
   • Impact: damages brand reputation and trust.
5. Brute Force remote administration: repeatedly guesses credentials for remote access services like SSH, RDP, or web admin portals.
   • Tools: Hydra, Ncrack, Burp Suite, WPScan (for WordPress).
   • Impact* unauthorized access to administrative interfaces.
6. Server-Side Request Forgery (SSRF): forces a server to send unauthorized requests on behalf of the attacker.

• Use Cases: internal port scanning; accessing internal resources using trusted server privileges (e.g. ending requests to 127.0.0.1:22 to check if SSH is enabled).

7. Cross-Site Scripting (XSS): injects malicious scripts into a webpage, executed in users’ browsers.
   • Impact:
     • Session hijacking.
     • Redirection to malicious websites.
     • Data theft.
   • Variants: rtored, Reflected, DOM-based XSS.
8. Insecure Direct Object References (IDOR): exploits insufficient access controls to access restricted objects directly (e.g. manipulating URL parameters to access unauthorized files or records).
9. Injection attacks: Injects malicious code or commands into applications or servers (e.g. sing ; ls -la to list server files).
   • Subtypes:
     • SQL Injection: Manipulating SQL queries.
     • Command Injection: Executing system commands using input fields.
10. File Inclusion (RFI/LFI)
    • Types:
      • Remote File Inclusion (RFI): includes external files via URL input.
      • Local File Inclusion (LFI): exploits the server to access local files.
    • Impact: exposes sensitive data or executes malicious scripts.

Countermeasures

• Patches and Updates: regularly update web servers and software to fix known vulnerabilities.
• Least Privilege: restrict permissions to limit access to sensitive directories and files.
• Input Validation: sanitize user inputs to prevent injection attacks.
• Use WAFs: deploy Web Application Firewalls to filter malicious traffic.
• Monitor Logs: identify abnormal activity through log analysis.
• Error Handling: avoid exposing detailed error messages that aid attackers.

Web server hacking methodology

5 steps:

1. Reconnaissance: the initial phase to gather information about the target system.

   • Key activities:
     Identify open ports and services (e.g., HTTP, HTTPS, MySQL).
     • Determine server type and version (e.g., Apache, Nginx, IIS).
     • Check for CMS platforms (e.g., WordPress, Joomla).
     • Perform subdomain enumeration and DNS analysis.
   • Tools:
     • nmap: port scanning and version detection.
     • Manual inspection of webpage banners, source code, and DNS records.

2. Vulnerability scanning: identify known vulnerabilities in web servers and applications.

   • Tools:
     • Nessus and Tenable: Industry-standard vulnerability scanners.
     • OpenVAS: open-source vulnerability scanning.
       • Nikto: scans for common web server vulnerabilities.
       • OWASP ZAP: open-source tool with extensive features for web app testing.
     • Burp Suite: paid tool offering advanced scanning and manual testing.

3. Directory fuzzing: identify hidden directories or files on the web server (e.g. iscover directories containing sensitive files (wp-config.php, settings.xml) with misconfigured permissions).

   • Process:
     • Use tools to brute-force directory paths using common naming conventions.
     • Check for sensitive directories like /admin/, /passwords/, or /logs/.
     • Inspect files like robots.txt for disallowed directories.
   • Tools:
     • Fairox Buster: Fast, Rust-based directory fuzzing tool.
     • GoBuster and Dirb: Widely used for directory discovery.

4. Abusing defaults: exploit default configurations, credentials, or files left unchanged.

   • Common Issues:
     • Default usernames and passwords (e.g., admin/admin, root/root).
     • Unsecured configuration files (e.g., phpinfo.php exposing server details).
     • Unrestricted access to administrative pages.
   • Mitigation:
     • Change default credentials immediately after installation.
     • Restrict access to sensitive files and configuration pages.

5. Web application attacks: leverage information gathered to exploit vulnerabilities (e.g. After obtaining admin credentials, perform authenticated scans to find additional vulnerabilities).

   • Attack Vectors:
     • Exploiting default credentials to gain admin access.
     • Using tools like Burp Suite or OWASP ZAP to craft and execute attacks.
   • Goal: report findings to the client for remediation.