Web Hacking: Attacks and Defense - page 45
Summary
The URL, the tiny portal into a Web server's inner mechanics, has the capacity to render all firewall, intrusion detection systems, and proxy security technologies useless. Users have to let port 80 (HTTP) and 443 (SSL) traffic through their firewalls. They can't possibly accommodate every combination of illegal URLs and
Part 2: URLs Unraveled
Case Study: Reconnaissance Leaks Corporate Assets
F OR yet another night, Jack was working late at the office. He was a Web developer extraordinaire (a.k.a. an elite Web hacker) who got bored easily and had a penchant for the market. One of those young geniuses who was always searching for a challenge, Jack was bored that night and decided to poke around the Internet.
In the past, Jack purchased a number of movies from an online Web site called Example.com (symbol EXMP.CO) with an online catalog of more than 10,000 movies, DVDs, VHSs, and music CDs. Earlier that day Jack had received a spam e-mail from Example.com proclaiming a brand new Web site that was easier to use than its previous one. The company also boasted about something else that instantly peaked his interest: It stated that the new Web site was "
He started by reviewing the company's home page (http://www.example.com). The design was flashy and brash, featuring heavy use of Macromedia Flash and some
http://www.example.com/load.cgi?file=main.dhtml
As he perused this URL, he noticed a couple of things:
·
The Web programmer had used some form of CGI, probably Perl, as indicated by the load.cgi file
http://www.example.com/
load.cgi
· The programmer had used Dynamic HTML (DHTML), with the latest HTML 4.0 features, as indicated by the main.dhtml file name:
http://www.example.com/load.cgi?file=
main.dhtml
·
The programmer had used GET
http://www.example.com/
load.cgi?file=main.dhtml
If the programmer who had written the load.cgi program hadn't performed adequate input validation on the file field, someone might be able to view the source of any file on the Web server's filesystem. But Jack wouldn't know until he tried it:
http://www.example.com/load.cgi?file=
load.cgi
Sure enough, the URL produced the source code for the main CGI program, load.cgi. Now Jack could advantage of any file on the filesystem. But before he crawled the Web site for potential targets of attack, he went straight after the robots.txt file:
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
http://www.example.com/load.cgi?file=
robots.txt
This file contains directories and files that shouldn't be followed during a Web crawling exercise. Of course, Web crawlers can choose not to
Jack spots a directory of particular interest, the /Forecast directory. He first
http://www.example.com/Forecast/ .
He then tries a few known file
http://www.example.com/Forecast/Example.com-Forecast-Q199.pdf
http://www.example.com/Forecast/Example.com-Forecast-Q299.pdf
http://www.example.com/Forecast/Example.com-Forecast-Q399.pdf
http://www.example.com/Forecast/Example.com-Forecast-Q499.pdf
http://www.example.com/Forecast/Example.com-Forecast-Q100.pdf
http://www.example.com/Forecast/Example.com-Forecast-Q200.pdf
...
Knowing that the current date is March 28, 2002, and that the first quarter is about to end, he tries the following URL:
http://www.example.com/Forecast/Example.com-Forecast-Q102.pdf
Voila! Jack is prompted to Save the Example.com-Forecast-Q102.pdf file. He does so quickly.
Teleport Pro did not find this file, but Jack's hope was that the finance department may have already put a draft or near final version of the Q1-2002 report on the Web site for early review by investors. And it had. Human predictability is a wonderful thing.
Having received the file, Jack reviews it for any sensitive information—and it has plenty. The P/E ratio is creeping higher and revenue did not meet expectations, not by a long shot. Jack quickly realizes that he can sell his stock before those results are
