Scribd
Upload
77 views

Lecture 3 - Application Server Attacks

The document discusses various types of application server attacks, focusing on information disclosure through error messages, stack traces, and debug messages that can leak sensitive data. It also covers vulnerabilities in web servers, including misconfigurations, default credentials, and directory indexing, as well as the exploitation of WebDAV methods and web server proxy attacks. Additionally, it highlights the role of Web Application Firewalls (WAFs) in protecting against these attacks and their limitations.

Uploaded by

cdtramontini2
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
77 views

Lecture 3 - Application Server Attacks

The document discusses various types of application server attacks, focusing on information disclosure through error messages, stack traces, and debug messages that can leak sensitive data. It also covers vulnerabilities in web servers, including misconfigurations, default credentials, and directory indexing, as well as the exploitation of WebDAV methods and web server proxy attacks. Additionally, it highlights the role of Web Application Firewalls (WAFs) in protecting against these attacks and their limitations.

Uploaded by

cdtramontini2
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Application Server Attacks

INFR 4662U – Winter 2020


Garrett Hayes

Excerpts and concepts taken from the Web Application Hacker’s Handbook 2nd Edition License: Creative Commons
Stuttard & Pinto, Wiley Press
2

Information Disclosure
3

Information • Error
Disclosure Messages
Sources
Performing arbitrary actions
• Stack
against a web application may Traces
result in sensitive data leakage,
by means of:
• Debug
Messages
4

Leaky Error Messages

§ Unexpected events, perhaps as a result of


invalid user input, may cause a web
application to return an error message

§ These error messages may not be visible


in the browser - rather, you may see
them directly in the HTTP response

§ Error messages can divulge missing


parameter names, versions of software being
used, encryption mechanisms implemented,
and other sensitive information about the
application
5

Example PHP Error

[02-Oct-2016 22:15:24] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.team.php on line 11
[02-Oct-2016 22:15:33] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/core.reviews.php on line 11
[02-Oct-2016 22:15:34] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/plugin.woocommerce.php on line 7
[02-Oct-2016 22:15:44] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.taxonomy.php on line 11
[02-Oct-2016 22:15:49] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.attachment.php on line 11
[02-Oct-2016 22:15:51] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.testimonials.php on line 11
[02-Oct-2016 22:15:54] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/plugin.bb-press.php on line 7
[02-Oct-2016 22:15:55] PHP Fatal error: Call to undefined function add_action() in /home4/finister/public_html/test/wp-
content/themes/solaris/fw/core/type.post_type.php on line 11
6

Example MySQL Error

Warning: mysql_connect(): Access denied for user 'root'@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/clases/clase_mysql.class.php on line 38

Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/paso8.php on line 11

Warning: mysql_query(): A link to the server could not be established in /home/seleccionfidenag/public_html/b4k&2018/paso8.php on


line 11

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in


/home/seleccionfidenag/public_html/b4k&2018/paso8.php on line 12

Warning: mysql_connect(): Access denied for user 'root'@'localhost' (using password: NO) in
/home/seleccionfidenag/public_html/b4k&2018/clases/clase_mysql.class.php on line 38
7

Example ColdFusion Error

Error Diagnostic Information


Just in time compilation error
An extraneous end tag </CF_dciv5> has been encountered at document position (12:1) to (12:11). End tags cannot be present in CFML
templates without a matching start tag.
The last successfully parsed CFML construct was static text occupying document position (8:17) to (11:1).
The specific sequence of files included or processed is:
C:\Inetpub\wwwroot\v5\xxx.com\Products\dns2go\v5shells\common\CEOFooter.cfm
Date/Time: xxx
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0
Remote Address: xxx
HTTP Referer: https://www.google.com/
8

Leaky Stack Traces

§ More complex web application languages will


handle crashes differently then simple script-
oriented languages like JS

§ Languages like Java and ASP.Net in


particular will create a stack trace when an
unhandled error occurs

§ Stack traces provide additional insight into


the state of the application when the error
occurred
9

Leaky Stack Traces

§ Unlike error messages, stack traces usually


indicate why the error occurred

§ These traces may leak parameters or data


types expected by the application

§ Additional information about classes and


libraries loaded will often be provided
§ If you’re lucky, perhaps even version
information!

§ Finally, information about the application path


and its environment may also be dumped
§ File paths, usernames, etc.
10

Example PHP Stack Trace

[08-Mar-2018 05:55:10 America/Chicago] PHP Fatal error: Class 'WP_Dependencies' not found in /home2/patahiti/public_html/Multi/wp-
includes/class.wp-styles.php on line 18
[08-Mar-2018 08:35:28 America/Chicago] PHP Fatal error: Uncaught Error: Call to undefined function add_shortcode() in
/home2/patahiti/public_html/Multi/wp-includes/media.php:1484
Stack trace: #0 {main} thrown in /home2/patahiti/public_html/Multi/wp-includes/media.php on line 1484
[08-Mar-2018 09:58:42 America/Chicago] PHP Warning: require_once(ABSPATHWPINC/class-walker-nav-menu.php): failed to open stream:
No such file or directory in /home2/patahiti/public_html/Multi/wp-includes/nav-menu-template.php on line 11
[08-Mar-2018 09:58:42 America/Chicago] PHP Fatal error: require_once(): Failed opening required 'ABSPATHWPINC/class-walker-nav-
menu.php' (include_path='.:/opt/php70/lib/php') in /home2/patahiti/public_html/Multi/wp-includes/nav-menu-template.php on line 11
[08-Mar-2018 10:26:36 America/Chicago] PHP Warning: require(ABSPATHWPINC/class-requests.php): failed to open stream: No such file or
directory in /home2/patahiti/public_html/Multi/wp-includes/class-http.php on line 11
[08-Mar-2018 10:26:36 America/Chicago] PHP Warning: require(ABSPATHWPINC/class-requests.php): failed to open stream: No such file or
directory in /home2/patahiti/public_html/Multi/wp-includes/class-http.php on line 11
[08-Mar-2018 10:26:36 America/Chicago] PHP Fatal error: require(): Failed opening required 'ABSPATHWPINC/class-requests.php'
(include_path='.:/opt/php70/lib/php') in /home2/patahiti/public_html/Multi/wp-includes/class-http.php on line 11
11

Example ASP.Net Stack Trace with Cookie


12

Example ASP.Net Stack Trace with Session


13

Leaky Debug Messages

§ In some cases developers may manually enable


application debugging in order to identify and
remove bugs

§ And they’ll probably forget to turn it off

§ Debug messages include all kinds of sensitive


data like usernames, passwords, sessions,
environmental variables, tokens, encryption
keys, etc.

§ If you’re lucky, perhaps even a HTML5


debugging environment!
14

Example phpinfo() Leak


15

Example CGI Debug Message 1/2


16

Example CGI Debug Message 2/2


17

Triggering Errors

§ Even if a web application doesn’t reveal any


error/debug/stack trace messages during the
exploration phase, it may be possible to
trigger these events by tampering input
parameters

§ Some errors may not show up in the


browser, so it’s important to use a proxy or
custom script to grep for keywords, such as:

§ error, stack, trace, not found, failed,


exception, invalid, SQL, SELECT, etc.
18

A p p l i c a t i o n S e r v e r At t a c k s
19

Attacking Web Servers

§ Unlike the remaining topics in this course,


this module focuses on attacking the
underlying web server itself, including
misconfigurations, insecure options, default
credentials, etc.

§ Even if a web application is coded securely,


the underlying web server may contribute to
an application’s exploitation by proxy

§ This could be as simple as the web


server leaking session data through a
debug message, as seen previously
20

Administrative Interfaces & Default Credentials

§ Some web servers have remote


administrative interfaces that can be used
to control or view the status of the
underlying server, often running on ports
8080 or 8443

§ For example, Apache Tomcat used to


host Java servlets runs on port 8080

§ These administrative interfaces may use


default credentials, allowing you to debug,
modify, or execute new/existing code Default credentials for common administrative interfaces

Table taken from the Web Application Hacker’s Handbook 2nd Edition, Stuttard & Pinto, Wiley Press
21

Administrative Interface: Jboss JMX


22

Directory Indexing

§ As seen in the last topic, some servers like


Apache provide directory indexing by default
when a folder does not contain the requisite
file (i.e. index.php, index.html, index.htm, etc.)

§ Directories with open indexing return a list of


all files and folders within that directory,
sometimes exposing old scripts, backup files,
CSVs, sensitive files, SQL backups, etc.

§ If you find even a single open index on a


web server, open indexing is likely enabled
everywhere! Keep brute forcing…
23

Directory Indexing Misconfiguration


24

WebDAV Overview

§ WebDAV refers to a set of HTTP methods


used to manage files remotely (DAV =
Distributed Authorizing and Versioning)

§ WebDAV is heavily used in cloud


collaboration software, cloud storage,
and other distributed file-centric
applications

§ For example, NextCloud and SharePoint


both use WebDAV to remotely manage
file resources over the web
25

WebDAV Methods

§ Like standard HTTP, WebDAV uses specific


methods to manage file resources:

§ PUT uploads a file to a specific location


§ COPY & MOVE copy or move a file
resource to a specified location
§ DELETE removes a file at a specific
location
§ SEARCH searches a path for a file
resource
§ PROPFIND retrieves the metadata for a
file resource (modified date, size, etc.)
26

WebDAV Example Request/Response

Request:
OPTIONS /filepath/ HTTP/1.1
Host: example.com

Result:
HTTP/1.1 200 OK
[snip]
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE
Allow: MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, ORDERPATCH
DAV: 1, 2, ordered-collections
27

WebDAV Exploitation

§ Since WebDAV supports sensitive


methods like PUT & DELETE, it’s possible
that one or more directories on the
server have incorrect permissions,
ultimately allowing you to arbitrarily
manipulate resources

§ Permissions are often set on a per-


file and per-directory basis, so some
brute forcing and recursive checking
may be needed
28

WebDAV Exploitation

§ Even if you find a misconfigured directory


allowing you to PUT and COPY files, the
webserver may restrict you from uploading
malicious file types (.jsp for example)

§ To get around this, try uploading your


malicious file as .txt then use COPY or
MOVE to change the file extension!

§ File extensions like .html and .jar can often be


uploaded and used to manipulate users
(phishing pages, for example)
29

Webserver Proxy Attacks


§ Most modern webservers, particularly NGINX, can
act as a proxy that forwards requests between a
client and one or more backend servers

§ For example, NGINX can be used as a load


balancer, forwarding requests to multiple
scaled backend containers for redundancy

§ It may be possible to manipulate poorly


configured webserver proxies to send requests on
your behalf to other hosts

§ In some cases you can even contact internal


hosts firewalled from the internet
30

Webserver Proxy Attack Examples

Manipulating Host Headers: Manipulating the CONNECT Method:

Request: Request:
GET https://example.com/resource HTTP/1.1 CONNECT example.com HTTP/1.1

Result: Result:
HTTP/1.1 200 OK HTTP/1.1 200 Connection established
[snip] [snip]

Note: Standard HTTP requests use a relative Note: HTTP’s built-in CONNECT method is
path to access resources and rely on a Host designed specifically to proxy connections to
header to identify the server to contact. By non-HTTP ports over a HTTP channel. You
providing a hostname and full path with no may be able to use this proxy connection to
Host header, the proxy may directly contact load FTP resources from internal services.
the target site on our behalf.
31

Virtual Host Exploitation

§ As we know, the Host header is used by a


webserver to map incoming requests to
the appropriate virtual host (i.e. website)

§ Security configurations and options like


directory indexing, user directories, etc.
are configured on a per-virtual host basis

§ In some cases you may be able to bypass


security controls by manipulating or
removing the host header, causing the
webserver to use the default security
configuration
32

Virtual Host Manipulation

Request #1: Request #2: Request #3:


GET /backup/ HTTP/1.1 GET /backup/ HTTP/1.1 GET /backup/ HTTP/1.1
Host: example.com Host: blah.com Host: 199.212.32.2

Result: Result: Result:


HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-length: 0 Content-length: 0 Content-length: 1899
[snip] [snip] [snip]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
Final//EN"> <html> <head> <title>Index of
/backup</title> </head> <body> <h1>Index of
/backup</h1>
33

We b A p p l i c a t i o n F i r e w a l l s
34

Web Application Firewalls


§ Web application firewalls (WAF) sit inline between
the web application itself and an incoming (and
possibly malicious) HTTP request

§ Using lists of well-known malicious payloads and


HTTP standards, they attempt to identify
malicious requests and block them before they’re
processed by the web application

§ WAFs use techniques like signature matching,


heuristics, and known protocol standards to
determine if an attack is occurring
35

Web Application Firewalls


§ Because of their reliance on known attack strings
(a blacklist approach), it’s possible to bypass
WAFs by cleverly manipulating attack strings

§ Some data sent between the client and web


app may also be encrypted (not TLS),
preventing the WAF from identifying the
payload

§ Encoding techniques typically do not work


against WAFs since they are well-known;
however, some clever encoding may result
in padding an attack string, allowing it to
bypass the WAF filter
36

Identifying and Bypassing a WAF

§ To determine if a WAF is present, simply


send a malicious request (like a SQL
injection string) and see if the server
responds differently depending on the
request

§ Once the WAF has been detected, it’s


possible to use fuzzing techniques to
determine which payloads are being
blocked

§ Once you find a set of payloads not


blocked, leverage them for your
attack!
37

Identifying and Bypassing a WAF

§ Other bypass techniques (specific to the


platform being used) include:

§ Submitting user input using non-


standard methods like POST or GET

§ Placing user input in alternative


locations (inside cookies if using
ASP.net for example)

§ Doubling up on parameters in hopes


that the first parameter is the only one
checked
38

Let’s break!
S e e Yo u N e x t T i m e

You might also like