Application Server Attacks

INFR 4662U – Winter 2020

Garrett Hayes

Excerpts and concepts taken from the Web Application Hacker’s Handbook 2nd Edition License: Creative Commons
Stuttard & Pinto, Wiley Press
 2

Information Disclosure
 3

Information • Error
Disclosure Messages
Sources
Performing arbitrary actions
• Stack
against a web application may Traces
result in sensitive data leakage,
by means of:
• Debug
Messages
 4

Leaky Error Messages

§ Unexpected events, perhaps as a result of

invalid user input, may cause a web
application to return an error message

§ These error messages may not be visible

in the browser - rather, you may see
them directly in the HTTP response

§ Error messages can divulge missing

parameter names, versions of software being
used, encryption mechanisms implemented,
and other sensitive information about the
application
 5

Example PHP Error

[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 11
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 11
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 7
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 11
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 11
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 11
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/[Link] on line 7
[02-Oct-2016 [Link] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.post_type.php on line 11
 6

Example MySQL Error

Warning: mysql_connect(): Access denied for user 'root'@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/clases/clase_mysql.[Link] on line 38

Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/[Link] on line 11

Warning: mysql_query(): A link to the server could not be established in /home/seleccionfidenag/public_html/b4k&2018/[Link] on

line 11

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in

/home/seleccionfidenag/public_html/b4k&2018/[Link] on line 12

Warning: mysql_connect(): Access denied for user 'root'@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/clases/clase_mysql.[Link] on line 38
 7

Example ColdFusion Error

Error Diagnostic Information

Just in time compilation error
An extraneous end tag </CF_dciv5> has been encountered at document position (12:1) to (12:11). End tags cannot be present in CFML
templates without a matching start tag.
The last successfully parsed CFML construct was static text occupying document position (8:17) to (11:1).
The specific sequence of files included or processed is:
C:\Inetpub\wwwroot\v5\[Link]\Products\dns2go\v5shells\common\[Link]
Date/Time: xxx
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0
Remote Address: xxx
HTTP Referer: [Link]
 8

Leaky Stack Traces

§ More complex web application languages will

handle crashes differently then simple script-
oriented languages like JS

§ Languages like Java and [Link] in

particular will create a stack trace when an
unhandled error occurs

§ Stack traces provide additional insight into

the state of the application when the error
occurred
 9

Leaky Stack Traces

§ Unlike error messages, stack traces usually

indicate why the error occurred

§ These traces may leak parameters or data

types expected by the application

§ Additional information about classes and

libraries loaded will often be provided
§ If you’re lucky, perhaps even version
information!

§ Finally, information about the application path

and its environment may also be dumped
§ File paths, usernames, etc.
 10

Example PHP Stack Trace

[08-Mar-2018 [Link] America/Chicago] PHP Fatal error: Class 'WP_Dependencies' not found in /home2/patahiti/public_html/Multi/wp-
includes/[Link] on line 18
[08-Mar-2018 [Link] America/Chicago] PHP Fatal error: Uncaught Error: Call to undefined function add_shortcode() in
/home2/patahiti/public_html/Multi/wp-includes/[Link]
Stack trace: #0 {main} thrown in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 1484
[08-Mar-2018 [Link] America/Chicago] PHP Warning: require_once(ABSPATHWPINC/[Link]): failed to open stream:
No such file or directory in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 11
[08-Mar-2018 [Link] America/Chicago] PHP Fatal error: require_once(): Failed opening required 'ABSPATHWPINC/class-walker-nav-
[Link]' (include_path='.:/opt/php70/lib/php') in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 11
[08-Mar-2018 [Link] America/Chicago] PHP Warning: require(ABSPATHWPINC/[Link]): failed to open stream: No such file or
directory in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 11
[08-Mar-2018 [Link] America/Chicago] PHP Warning: require(ABSPATHWPINC/[Link]): failed to open stream: No such file or
directory in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 11
[08-Mar-2018 [Link] America/Chicago] PHP Fatal error: require(): Failed opening required 'ABSPATHWPINC/[Link]'
(include_path='.:/opt/php70/lib/php') in /home2/patahiti/public_html/Multi/wp-includes/[Link] on line 11
 11

Example [Link] Stack Trace with Cookie

 12

Example [Link] Stack Trace with Session

 13

Leaky Debug Messages

§ In some cases developers may manually enable

application debugging in order to identify and
remove bugs

§ And they’ll probably forget to turn it off

§ Debug messages include all kinds of sensitive

data like usernames, passwords, sessions,
environmental variables, tokens, encryption
keys, etc.

§ If you’re lucky, perhaps even a HTML5

debugging environment!
 14

Example phpinfo() Leak

 15

Example CGI Debug Message 1/2

 16

Example CGI Debug Message 2/2

 17

Triggering Errors

§ Even if a web application doesn’t reveal any

error/debug/stack trace messages during the
exploration phase, it may be possible to
trigger these events by tampering input
parameters

§ Some errors may not show up in the

browser, so it’s important to use a proxy or
custom script to grep for keywords, such as:

§ error, stack, trace, not found, failed,

exception, invalid, SQL, SELECT, etc.
 18

A p p l i c a t i o n S e r v e r At t a c k s
 19

Attacking Web Servers

§ Unlike the remaining topics in this course,

this module focuses on attacking the
underlying web server itself, including
misconfigurations, insecure options, default
credentials, etc.

§ Even if a web application is coded securely,

the underlying web server may contribute to
an application’s exploitation by proxy

§ This could be as simple as the web

server leaking session data through a
debug message, as seen previously
 20

Administrative Interfaces & Default Credentials

§ Some web servers have remote

administrative interfaces that can be used
to control or view the status of the
underlying server, often running on ports
8080 or 8443

§ For example, Apache Tomcat used to

host Java servlets runs on port 8080

§ These administrative interfaces may use

default credentials, allowing you to debug,
modify, or execute new/existing code Default credentials for common administrative interfaces

Table taken from the Web Application Hacker’s Handbook 2nd Edition, Stuttard & Pinto, Wiley Press
 21

Administrative Interface: Jboss JMX

 22

Directory Indexing

§ As seen in the last topic, some servers like

Apache provide directory indexing by default
when a folder does not contain the requisite
file (i.e. [Link], [Link], [Link], etc.)

§ Directories with open indexing return a list of

all files and folders within that directory,
sometimes exposing old scripts, backup files,
CSVs, sensitive files, SQL backups, etc.

§ If you find even a single open index on a

web server, open indexing is likely enabled
everywhere! Keep brute forcing…
 23

Directory Indexing Misconfiguration

 24

WebDAV Overview

§ WebDAV refers to a set of HTTP methods

used to manage files remotely (DAV =
Distributed Authorizing and Versioning)

§ WebDAV is heavily used in cloud

collaboration software, cloud storage,
and other distributed file-centric
applications

§ For example, NextCloud and SharePoint

both use WebDAV to remotely manage
file resources over the web
 25

WebDAV Methods

§ Like standard HTTP, WebDAV uses specific

methods to manage file resources:

§ PUT uploads a file to a specific location

§ COPY & MOVE copy or move a file
resource to a specified location
§ DELETE removes a file at a specific
location
§ SEARCH searches a path for a file
resource
§ PROPFIND retrieves the metadata for a
file resource (modified date, size, etc.)
 26

WebDAV Example Request/Response

Request:
OPTIONS /filepath/ HTTP/1.1
Host: [Link]

Result:
HTTP/1.1 200 OK
[snip]
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE
Allow: MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, ORDERPATCH
DAV: 1, 2, ordered-collections
 27

WebDAV Exploitation

§ Since WebDAV supports sensitive

methods like PUT & DELETE, it’s possible
that one or more directories on the
server have incorrect permissions,
ultimately allowing you to arbitrarily
manipulate resources

§ Permissions are often set on a per-

file and per-directory basis, so some
brute forcing and recursive checking
may be needed
 28

WebDAV Exploitation

§ Even if you find a misconfigured directory

allowing you to PUT and COPY files, the
webserver may restrict you from uploading
malicious file types (.jsp for example)

§ To get around this, try uploading your

malicious file as .txt then use COPY or
MOVE to change the file extension!

§ File extensions like .html and .jar can often be

uploaded and used to manipulate users
(phishing pages, for example)
 29

Webserver Proxy Attacks

§ Most modern webservers, particularly NGINX, can
act as a proxy that forwards requests between a
client and one or more backend servers

§ For example, NGINX can be used as a load

balancer, forwarding requests to multiple
scaled backend containers for redundancy

§ It may be possible to manipulate poorly

configured webserver proxies to send requests on
your behalf to other hosts

§ In some cases you can even contact internal

hosts firewalled from the internet
 30

Webserver Proxy Attack Examples

Manipulating Host Headers: Manipulating the CONNECT Method:

Request: Request:
GET [Link] HTTP/1.1 CONNECT [Link] HTTP/1.1

Result: Result:
HTTP/1.1 200 OK HTTP/1.1 200 Connection established
[snip] [snip]

Note: Standard HTTP requests use a relative Note: HTTP’s built-in CONNECT method is
path to access resources and rely on a Host designed specifically to proxy connections to
header to identify the server to contact. By non-HTTP ports over a HTTP channel. You
providing a hostname and full path with no may be able to use this proxy connection to
Host header, the proxy may directly contact load FTP resources from internal services.
the target site on our behalf.
 31

Virtual Host Exploitation

§ As we know, the Host header is used by a

webserver to map incoming requests to
the appropriate virtual host (i.e. website)

§ Security configurations and options like

directory indexing, user directories, etc.
are configured on a per-virtual host basis

§ In some cases you may be able to bypass

security controls by manipulating or
removing the host header, causing the
webserver to use the default security
configuration
 32

Virtual Host Manipulation

Request #1: Request #2: Request #3:

GET /backup/ HTTP/1.1 GET /backup/ HTTP/1.1 GET /backup/ HTTP/1.1
Host: [Link] Host: [Link] Host: [Link]

Result: Result: Result:

HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-length: 0 Content-length: 0 Content-length: 1899
[snip] [snip] [snip]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
Final//EN"> <html> <head> <title>Index of
/backup</title> </head> <body> <h1>Index of
/backup</h1>
 33

We b A p p l i c a t i o n F i r e w a l l s
 34

Web Application Firewalls

§ Web application firewalls (WAF) sit inline between
the web application itself and an incoming (and
possibly malicious) HTTP request

§ Using lists of well-known malicious payloads and

HTTP standards, they attempt to identify
malicious requests and block them before they’re
processed by the web application

§ WAFs use techniques like signature matching,

heuristics, and known protocol standards to
determine if an attack is occurring
 35

Web Application Firewalls

§ Because of their reliance on known attack strings
(a blacklist approach), it’s possible to bypass
WAFs by cleverly manipulating attack strings

§ Some data sent between the client and web

app may also be encrypted (not TLS),
preventing the WAF from identifying the
payload

§ Encoding techniques typically do not work

against WAFs since they are well-known;
however, some clever encoding may result
in padding an attack string, allowing it to
bypass the WAF filter
 36

Identifying and Bypassing a WAF

§ To determine if a WAF is present, simply

send a malicious request (like a SQL
injection string) and see if the server
responds differently depending on the
request

§ Once the WAF has been detected, it’s

possible to use fuzzing techniques to
determine which payloads are being
blocked

§ Once you find a set of payloads not

blocked, leverage them for your
attack!
 37

Identifying and Bypassing a WAF

§ Other bypass techniques (specific to the

platform being used) include:

§ Submitting user input using non-

standard methods like POST or GET

§ Placing user input in alternative

locations (inside cookies if using
[Link] for example)

§ Doubling up on parameters in hopes

that the first parameter is the only one
checked
 38

Let’s break!
S e e Yo u N e x t T i m e