Chapter 3: Hacking Web Platforms

Overview

The most prominent components of web applications that intruders will first seek to exploit are vulnerabilities within the web platform . The web platform is comprised of common (not necessarily commercial!) off-the-shelf software (COTS) that sits atop the host operating system but below the custom application logic. The web platform commonly includes

• COTS web server software (such as IIS or Apache)

• COTS extensions to the web server, such as ISAPI filters and extensions, or Apache mod packages

• COTS dynamic execution environments like ASP.NET, PHP, and J2EE (also referred to as application servers )

• COTS services/daemons, such as user forums or web guestbook packages

In contrast to our definition of the web platform, we consider application-layer components to be anything that is not COTS and thus unique to a particular site or application. For example, Google's search-engine logic would be considered application-layer.

We are also only going to talk about certain types of web platform vulnerabilities in this chapter. Specifically, we will only focus on COTS software defects rather than misconfigurations. We've done this to focus reader attention on what we believe are two separate classes of web platform vulnerabilities: things that web site admins and developers can fix directly, and things they must rely on their software suppliers to help fix through software version updates and patches. We'll discuss misconfiguration vulnerabilities in Chapter 10.

Similarly, we will focus primarily on vulnerabilities that result in compromise of the confidentiality or integrity of the web platform in this chapter. See Chapter 12 for denial-of-service (DoS) attacks against the availability of the web platform and applications.

One last scope clarification : this chapter will focus on the nuts and bolts of web platform attacks and countermeasures, mostly using small-scale tools and techniques. Please see Chapter 13 for an entire chapter (new to the second edition) that addresses a large-scale automated web security assessment using web security vulnerability scanners .

Historically, COTS web server software vulnerabilities were one of the easiest ways to exploit a web site, but more recently, many of the authors of popular web server software have become increasingly security conscious, primarily because their products have taken a tremendous beating from hackers for so many years . Microsoft's IIS is the poster child for this phenomenon . Although severe vulnerabilities used to be found with startling regularity in the IIS product, the newest version, IIS6, has been relatively untouched, thanks largely to an invigorated attentiveness to security in the IIS6 development process.

None of this should be taken to mean that you can ignore web platform vulnerabilities, of course. We've seen a mere six vulnerable web server instances out of a farm of over 10,000 result in the total compromise of an entire global enterprise within a few days. Even worse , as we will demonstrate in this chapter, the hacking community continues to evolve their toolset to enable ever easier identification and exploitation of such faults.

This chapter will describe how to find, exploit, and defend common security vulnerabilities in the most popular web platforms. Our discussion will be organized as follows :

• Point-and-click exploitation

• Manual exploitation

• Evasion techniques

As always, we'll wrap up with coverage of common countermeasures and security best practices to protect against these attacks.