Chapter 13: Web Servers & Web Apps

Question 1

Web application

Answer 1

an application that runs on a remote server and is access through a client (i.e. Netflix, where the application is presented through a client interface such as a browser or other piece of SW)

web apps are designed to run across platforms, whereas native apps are targeted for specific platforms

Most processing done on server!! Client is used for user input, server used for storage

***HTTPS //encrypts data in transit

Question 2

Server Administrators

Answer 2

concerned w/ safety, security, and functioning of web server from operational standpoint

Question 3

NW Administrators

Answer 3

concerned w/ infrastructure and functioning of NW as a whole

Question 4

End Users

Answer 4

they interact w/ the web server and application as a consumer & user of info

Question 5

The client & server

Answer 5

A server application is hosted on a web server and is designed to be accessed remotely via a web browser or web-enabled application; Information is stored on the server

Typically multiple clients can access the server simultaneously to retrieve, view, or modify data

Question 6

Why choose a web app over client-server models

Answer 6

Client app doesn’t have to be developed for each platform; since most web apps are run within a web browser, the underlying architecture becomes unimportant

Question 7

Web applications are dependent on the use of what technologies?

Answer 7

Server-side technologies such as ASP (active server pages) or PHP (Personal Home page or Hypertext Preprocessor)

Client-side technologies include Dynamic HTML (DHTML), Javascript, etc

Question 8

You can visualize a web app not only as consisting of a client and server, but as layers (3):

Answer 8

1) PRESENTATION LAYER //display of info to user on client side
2) LOGIC LAYER //manipulation of info (transformed or edited into the form into needs to be stored or presented in)
3) DATA LAYER //holding data for application as a whole

Question 9

define Stateless

Answer 9

Stateless HTTP refers to the fact that the protocol does not keep track of session information from one connection to the next; each communication in HTTP is treated as a separate connection

Question 10

define cookies

Answer 10

a file stored on a client system that is used as a token by applications to store information of some type

Question 11

Pieces of a web app (9)

Answer 11

1) LOGIN
2) WEB SERVER //foundation for whole system
3) SESSION TRACKING //storage of info
4) PERMISSIONS //determine what level of access user has to resources on server
5) APPLICATION CONTENT //info user is interacting with
6) DATA ACCESS //web pages in a web app to provide data access
7) DATA STORE //valuable info is contained here
8) LOGIC //responsible for interacting w/ user & providing correct info to be extracted from DB
9) LOGOUT //used by users to shut down their connection

Question 12

Vulnerabilities of Web Servers & Applications (7)

Answer 12

1) FLAWED WEB DESIGN //comments and hidden tags embedded into a web page can yield information;
2) BUFFER OVERFLOW //when application puts more data in a buffer than it was designed to hold; programmer could have malpractice & create a buffer w/ not restrictions; Overflow of data results in corruption or overwritten data; as a result data could lose its integrity, loss of data, disclosure of info
3) DoS
4) DDoS
5) BANNER INFORMATION //reveals information about server or web application//use telnet or PuTTY to extract banner info (would look like HTTP/1.1 ….Server: [name] etc) //telnet www..com 80
6) ERROR MESSAGES //can reveal info about a server or web application
7) VANDALIZING WEB SERVERS //defacing a website

Question 13

Common attack methods on Web Applications

Answer 13

1) INPUT VALIDATION //mechanism used to verify info as it is entered; sites w/ little restrictions placed on what data can be entered gives way for problems such as: DB manipulation, DB corruption, Buffer Overflow, Inconsistent data, SQL injections
2) XSS //input validation attack relies on user instead of application or data; can inject malicious code to gain info from session
3) INSECURE LOGON SYSTEMS //when invalid user ID, PW, or both is entered, the website might return that “an entry of an invalid user ID with a valid password”, sites should return generic info
4) SCRIPTING ERRORS //depending on the code used (ASP, CGI, JSP); vulnerabilities are presented
5) SESSION MGMT ISSUES
6) ENCRYPTION WEAKNESSES //data should be encrypted when stored and transmitted
7) DIRECTORY TRAVERSAL ATTACK //allows server to move outside of the web server directory & into other parts of host system

Question 14

Performing a PW crack

Answer 14

Tool used: Brutus

Page 576

Question 15

Scripting Error Attacks (5)

Answer 15

1) UPLOAD BOMBING //uploading mass files to fill up storage on the server making server crash or stop
2) POISON NULL BYTE ATTACK //passes special characters the scripts may not be designed to handle properly, the script may grant access where it shouldn’t
3) DEFAULT SCRIPTS //use of default scripts can allow attackers to exploit configuration issues & gain unauthorized access
4) SAMPLE SCRIPTS //web apps can include sample content that is left in place by servers; attackers can use that to carry out attack
5) POORLY WRITTEN OR QUESTIONABLE SCRIPTS //some include usernames, passwords

Question 16

Vulnerabilities of Session Mgmt Issues

Answer 16

1) LONG-LIVED SESSIONS //sessions that remain valid longer than they are needed
2) LOGOUT FEATURES //some sites don’t have a logout feature, but instead need you to close the browser
3) INSECURE OR WEAK SESSION IDENTIFIERS //easily guessed or predicted sessions IDs
4) GRANTING OF SESSION IDs to UNAUTHORIZED USERS //sometimes apps grant unauthorized users session IDs & redirect them to a logout page giving ability to request valid URLs
5) POOR OR NO PASSWORD CHANGE CONTROLS //old PW may not be required to change PWs
6) INCLUSION OF UNPROTECTED INFORMATION in COOKIES

Question 17

Vulnerabilities of weak encryptions

Answer 17

1) WEAK CIPHERS //weak encryption allows attacker to easily decrypt data
2) VULNERABLE SW //some SW implementations that encrypt the transmission of data, such as SSL (secure sockets layer), may suffer from poor programming

Question 18

Directory Traversal Attack takes advantage of errors such as:

Answer 18

1) ACCESS CONTROL LISTS (ACCESS CONTROL LISTS) //used to indicate which users and groups are allowed to access files and directories on a server as well as level of interaction allowed
2) ROOT DIRECTORY //directory on the server where users are specifically restricted; contains sensitive files

Question 19

Walk through Directory Traversal Attack

Answer 19

Web apps w/ dynamic pages (such as ASP or ASP.NET)

Input is usually received from browsers through GET or POST request methods, an example of a GET HTTP request URL:

http://beta.canadiens.com/show.asp?view=history.html

The browser requests the dynamic page SHOW.ASP from the server & also sends the parameter VIEW w/ the value HISTORY.HTML

When this request is executed on the web server, SHOW.ASP retrieves the file HISTORY.HTML from the server’s file system & returns to requesting party

We can alter the URL by doing the following to retrieve system.ini

http://beta.candiens.com/show.asp?view=../

the two dots allow you to traverse up one directory

Question 20

Countermeasures of a Directory Traversal Attack

Answer 20

1) RUNNING MODERN WEB SERVER SW OR UPDATE PATCHES

2) ENABLE FILTERING OF USER INPUT TO WEB SERVER

Question 21

Which of the following best describes a web application?

a) code designed to be run on the client
b) code designed to be run on the server
c) SQL code for DBs
d) targeting of webservices

Answer 21

b) code designed to be run on the server

Question 22

Which of the following can prevent bad input from being presented to an application?

a) filtering
b) validation
c) scanning
d) traversing

Answer 22

b) validation //validation input is done through client side whereas filtering is done through server side

Question 23

Which tool can be used to view web server information?

a) netstat
b) netcraft
c) warcraft
d) TCP view

Answer 23

d) tcp view allows viewing of TCP connections between client & server

Question 24

What is the command to retrieve header information from a web server using telnet?

a) telnet 80
b) telnet 443
c) telnet -port: 80
d) telnet -port:443

Answer 24

a) telnet 80

Question 25

What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel?

a) encryption
b) permissions
c) redirection
d) firewalls

Answer 25

a) encryption

Question 26

A common attack against web servers and web applications is

a) banner grab
b) input validation
c) buffer validations
d) buffer overflow

Answer 26

d) buffer overflow