Protocols of the Web

Protocols of the Web

The World Wide Web is an array of protocols that act like traffic cops for the Internet. Packets can be thought of as cars, trucks, and buses on the information superhighway with protocols being stop signs, traffic lights, and drawbridges. So, by their very definition, protocols play a crucial role in managing the day-to-day activities on the Internet. As a result, they are especially important to hackers who want to take advantage of their flaws (and sometimes their features).

In this chapter we discuss the major protocols of e-commerce and how hackers attempt to alter them for their own gain. We also describe a number of free tools that take advantage of these protocols, automating much of the heavy lifting.

HTTP

Without a doubt, HTTP is the most ubiquitous protocol in use on the Internet. Every Web browser and server must communicate over this protocol in order to exchange information. There have been three major versions of the protocol, all of which maintained the same fundamental structure. HTTP is a request/response stateless protocol that allows computers to talk to each other rather efficiently and carry on conversations lasting hours, days, and weeks at a time.

Although the HTTP/1.0 specification currently in use is a far cry from the original specification proposed by Tim Berners-Lee in March 1990, the fundamental features of HTTP haven't changed all that much. Figure 4-1 highlights the major components of the HTTP protocol and their use.

Figure 4-1. The HTTP protocol

graphics/04fig01.gif

Let's take a look at each major HTTP version in more detail.

HTTP/0.9

The first official HTTP specification is typically considered HTTP/0.9. This version and its successor are defined in the Internet Engineering Task Force's (IETF) Request for Comments (RFC) document RFC1945 (http://www.ietf.org/rfc/rfc1945.txt). For four years (1992 1996), HTTP/0.9 found modest use on the Internet despite the Web's infancy at the time. HTTP/0.9 was limited in many ways and didn't cover what we now consider to be required elements of Web interaction.

HTTP/1.0

The HTTP/1.0 specification came along just as the Internet started to heat up. Despite its relative age in the technological sense it was finalized in May 1996 HTTP/1.0 remains the king of the HTTP protocol versions on the Internet. Most Web servers and browsers still use HTTP/1.0 for default communication. As with HTTP/0.9, HTTP/1.0 is covered under RFC 1945.

The underpinnings of the HTTP/1.0 protocol reside with the request/response exchange. This exchange permits information to be sent, parsed, and returned between a client (Web browser) and a server (Web server) or prevents it.

In general, the HTTP/1.0 URL looks something like this:

http://host [ ":" port ] [ absolute_path ]

The host is the hostname desired, the port is the place to put an optional port number, and absolute_path is the resource requested.

HTTP Request

The first step of the request is to decide on the method to be used. Table 4-1 details the various HTTP/1.0 methods available.

Table 4-1. HTTP/1.0 Methods

Method

Description

GET

Retrieves the information requested from the file system. If the requested file is a static HTML file, the file's contents will be displayed. However, if the file is a dynamic ASP file, for example, the Web server will process the ASP file, execute its commands, and send the output of those commands to the requesting browser.

Example: GET /default.htm HTTP/1.0. Note: You must hit ENTER twice after HTTP/1.0.

HEAD

The HEAD method is almost identical to the GET method, with only one key difference: It won't return the requested data. However, the power of the HEAD is that it will respond with meta-information such as server response code, date header, server header, and the like. This characteristic allows an attacker to enumerate a Web server's running Web software (sometimes). Example: HEAD/ HTTP/1.0. Note: You must hit ENTER twice after HTTP/1.0.

POST

The POST method requests that the server accept the enclosed information and act on it. POST methods are most commonly used when CGI or server-side scripting is involved. Note: A valid Content-Length header is required for all POST requests.

HTTP Response

An HTTP request from a client is handled by the server and responded to accordingly. To respond, the server sends back a series of message components that can be categorized as follows:

         Response code a numeric code that corresponds to an associated response.

         Header fields additional information about the response.

         Data the content or body of the response.

With these three components, the client browser understands the server's response and interacts with the server. Now let's examine each component a little more closely.

Response Code

The response code is the first part of the server's response and sets the tone for the remainder of the interaction. The server responds in one of four ways: Success, Redirection, Client Error, or Server Error. Each response has different meanings, depending on the client's request. Table 4-2 shows the most common response codes currently in use.

Table 4-2. Common Response Codes and Responses

Response Code

Description

Success 2xx

200 OK

The request has succeeded.

Redirection 3xx

301 Moved Permanently

The requested resource has been given a new permanent URL, which will be placed in the Location field. This response code is saying, "I have moved, follow me to my new home."

302 Moved Temporarily

The requested resource has been given a new temporary URL, which will be placed in the Location field. This response code is saying, "I have moved, follow me to my temporary home, but don't depend on me being here long."

Client Error 4xx

400 Bad Request

The request wasn't understood by the server.

401 Unauthorized

The resource requested requires user authentication, usually in the form of Basic or equivalent authentication.

403 Forbidden

The server understood the request but is refusing to respond. Typically, when the GET method is used to receive this response, little or no further information will be present. However, when the HEAD method is used, some servers will give more detailed information about why this condition occurred.

404 Not Found

The requested resource wasn't found.

Server Errors 5xx

500 Internal Server Error

The server discovered an internal error in processing the request.

501 Not Implemented

The server doesn't support the request.

502 Bad Gateway

The server received an invalid response from an upstream server when it requested the desired resource. This response is typical of HTTP proxies.

503 Service Unavailable

The server is unable to respond to the request because it is being overwhelmed.

Complete sets of HTTP/1.0 and HTTP/1.1 response codes are presented in Appendix B.

A server response code of 501 (not implemented) is the server's way of telling the client that the requested method isn't supported. That happens, for example, if you send a request with an OPTIONS method to a HTTP/1.0 server, because OPTIONS is supported only in HTTP/1.1.

Header Fields

Both the server's response to the client's request and the client's response to the server's request contain header fields that hold varying degrees of additional information. The server and client parse these fields and use the information as needed. Table 4-3 covers the main header field definitions.

Data

The data portion of the client's request or the server's response is really the body of the communication between the two. In the case of a GET method request for the default resource, you would perform the following:

C:\> nc.exe www.example.com 80
GET / HTTP/1.0
Another <cr><lf> here

and the default Web page (data or body) would be sent back in a stream.

HTTP/1.1

Released as an official specification in 2001, HTTP/1.1 is the latest incarnation of the HTTP protocol and is widely used. The IETF's RFC 2616 details the particulars of this latest version and highlights the additional functionality from HTTP/1.0. The primary failings of HTTP/1.0, and therefore the need for 1.1, include no hierarchical proxy support, little support for caching, and no proper handling of persistent connections and virtual hosts.

The HTTP/1.1 URL looks like this:

http://host [ ":" port] [ absolute_path [ "?" query ]]
Table 4-3. Header Field Definitions

Header Field

Description

Allow

Lists the methods supported by the resource requested.

Authorization

Lists the authorization credentials for HTTP authentication.

Content-Encoding

Lists any additional content encoding being performed on the data returned. With this information the client knows better how to interpret the data returned. For example, Content-Encoding: x-gzip means that the content is gzip compressed.

Content-Length

Lists the size of the content's body in decimal number of octets. For example, Content-Length: 332.

Content-Type

Lists the content's type in the response. For example, Content-Type: text/html lists text/html as the content's type. This field helps the client understand better how to display the content in the browser.

Date

Lists the server's date and time.

Expires

Lists the date and time that the content should be considered out of date.

From

Lists an e-mail address to be used for identifying the content's responsible party. This field is rarely used.

Last-Modified

Lists the date and time that the server believes the requested resource was last modified.

Location

Lists the location of the resource requested.

Pragma

Describes optional behavior for requests. For example, if the Pragma header field is sent from the server with the "no-cache" directive, the client should load the content sent regardless of whether it has cached a copy of it, as in Date: Thu, 22 Apr 2002 01:10:22 GMT.

Referer

Allows the client to specify the address of the resource.

Server

Lists the software running on the server. In most cases, this information is accurate. For example, Server: Microsoft-IIS/5.0. However, be forewarned because some smart administrators can change this information to be anything they want, such as "Mickey's Web Server."

User-Agent

Lists additional information about the user agent (client) requesting information. For example, User-Agent: Mozilla/5.0 (WinNT).

WWW-Authenticate

Used in response to 401 Unauthorized response code, this field holds a challenge for negotiating with the server for authorized access.

Similar to the HTTP/1.0 URL, the HTTP/1.1 differs in one distinctive way: It supports script parameter passing with the "?" query. This designation is at the heart of all major Web applications and is one of the primary avenues of attack. Anything specified after the "?" is content that a script processes and therefore a target for attack (and fair game for hackers).

HTTP Request

Its predecessor, HTTP/1.0 had the fundamentals, but HTTP/1.1 has dramatically increased HTTP method support. Table 4-4 details the changes in HTTP/1.1 methods.

HTTP Response

As in HTTP/1.0 responses, HTTP/1.1 requests from a client are handled by the server and responded to accordingly. HTTP/1.1 can be categorized as follows:

         Response Code a numeric code that corresponds to an associated response.

         Header fields additional information about the response.

         Data the content or body of the response.

Response Codes

The HTTP/1.1 specification added numerous response codes to the list, but the heart of the response codes didn't change. So, to understand the specifics of the HTTP/1.1 response codes, be sure to refer to the HTTP/1.0 protocol discussed earlier.

Header Fields

Both the client's request and the server's response contain header fields that hold varying degrees of additional information. The server and client parse these fields and use the information as needed. Table 4-5 covers the main additions to the header field definitions of HTTP/1.0.

Table 4-4. HTTP/1.1 Methods

Method

Description

CONNECT

New to HTTP/1.1

Used with a proxy that has the ability to switch dynamically to tunnel mode (i.e., SSL tunneling).

DELETE

New to HTTP/1.1

Requests that the origin server delete the resource specified. By default this functionality isn't available on most new servers. However, if present, its success will be indicated by a 200 OK response. A 202 Accepted response can occur if the action has been accepted but not acted on yet. A 204 No Content response can occur if the action has been accepted but the response doesn't require a body.

GET

Retrieves the information requested from the file system. If the requested file is a static HTML file, the file's contents will be displayed. However, if the file is a dynamic ASP file, for example, the Web server will process the ASP file, execute its commands, and send the output of those commands to the requesting browser. For example, a simple GET request is GET /default.htm HTTP/1.1.

Note: You must hit ENTER twice after HTTP/1.0.

HEAD

The HEAD method is almost identical to the GET method, with only one key difference: It won't return the requested data. However, the power of the HEAD is that it will respond with meta-information such as server response code, date header, server header, and so on. This characteristic allows an attacker to enumerate a Web server's running Web software (sometimes). For example, HEAD/HTTP/1.1.

Note: You must hit ENTER twice after HTTP/1.0.

OPTIONS

Requests information about the communication options available on the resource requested. If an asterisk "*" is used, the resource requested is considered generic and therefore responds only with those methods allowed that are common. For example, using the "*" shows that only four methods allowed: GET, HEAD, OPTIONS, and TRACE:

OPTIONS * HTTP/1.1
Host: www.example.com
HTTP/1.1 200 OK
Date: Mon, 15 Apr 2002 00:08:32 GMT
Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6c
Content-Length: 0
Allow: GET, HEAD, OPTIONS, TRACE

However, the "/" resourcedisplays all the methods allowed:

OPTIONS / HTTP/1.1
Host: www.example.com
 
HTTP/1.1 200 OK
Date: Mon, 15 Apr 2002 00:07:17 GMT
Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6c
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,
PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
UNLOCK, TRACE

This method can be quite useful at times (from a hacker's perspective) in enumerating the functionality of a Web site.

POST

The POST method requests that the server accept the enclosed information and act on it. POST methods are most commonly used when CGI or server-side scripting is involved. Note: A valid Content-Length header is required for all POST requests.

PUT

Requests that the enclosed entity (payload) be stored (saved) in the supplied resource. For example, the following would create a file called EXAMPLE and put the payload of the request in that file.

PUT /EXAMPLE HTTP/1.1
Host: 192.168.0.5
Content-Length: 5
Hello there

TRACE

Sends a request for a loopback message. Even though the request is sent to the target server, proxies often reply instead. This characteristic enables an attacker to enumerate the proxies in line.

 

Table 4-5. HTTP/1.1 Additions to the HTTP/1.0 Header Field Definitions

Header Field

Description

Cache-Control

Specifies directives that must be obeyed by all caching mechanisms along the request/response chain.

Connection

Allows the sender to specify options for a particular connection.

Etag

Displays the current value of the entity tag.

Trailer

Provides a list of headers at the end of a message.

Transfer-Encoding

Indicates any transformation of the message body in order to transmit it.

Upgrade

Allows the client to specify which additional headers it supports.

Via

Used by intermediate gateways and proxies to define who and what protocols are used for transmitting the message between hops. Similar to source routing in network security, Via allows you to specify which proxy hops to go through on the path to the target server.

Warning

Used to carry additional information about the status of a message.

HTTPS (HTTP over SSL)

HTTPS is a protocol used for encrypted traffic within an HTTP stream. The entire message is encrypted when Secure Sockets Layer (SSL) is used. Many versions of SSL and its related protocols (Transport Layer Security, TLS, and RFC2246) are available, including SSLv1, SSLv2, and SSLv3. And to make things even more confusing, SSL offers a variety of choices for the encryption standard used within a particular version of SSL. For example, with SSLv3, you can choose from DES to RSA (RC2 and RC4).

The easiest way to watch SSL work is with a network packet analyzer. Using Snort (http://www.snort.org), you can observe how traffic over TCP port 80 can be seen and recorded:

04/14-22:43:39.781452 192.168.0.5:80 -> 192.168.0.3:2590
TCP TTL:128 TOS:0x0 ID:18197 IpLen:20 DgmLen:344 DF
***AP*** Seq: 0x22AA9B72  Ack: 0xFDC79BB8  Win: 0x445F  TcpLen: 20
0x0000: 00 06 5B 30 04 0C 00 20 78 0D 1F 4C 08 00 45 00  ..[0... x..L..E.
0x0010: 01 58 47 15 40 00 80 06 31 32 C0 A8 00 05 C0 A8  .XG.@...12......
0x0020: 00 03 00 50 0A 1E 22 AA 9B 72 FD C7 9B B8 50 18  ...P.."..r....P.
0x0030: 44 5F 33 9A 00 00 48 54 54 50 2F 31 2E 31 20 32  D_3...HTTP/1.1 2
0x0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 4D 6F 6E  00 OK..Date: Mon
0x0050: 2C 20 31 35 20 41 70 72 20 32 30 30 32 20 30 36  , 15 Apr 2002 06
0x0060: 3A 31 31 3A 35 33 20 47 4D 54 0D 0A 53 65 72 76  :11:53 GMT..Serv
0x0070: 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33 2E 31  er: Apache/1.3.1
0x0080: 32 20 28 57 69 6E 33 32 29 20 41 70 61 63 68 65  2 (Win32) Apache
0x0090: 4A 53 65 72 76 2F 31 2E 31 20 6D 6F 64 5F 73 73  JServ/1.1 mod_ss
0x00A0: 6C 2F 32 2E 36 2E 34 20 4F 70 65 6E 53 53 4C 2F  l/2.6.4 OpenSSL/
0x00B0: 30 2E 39 2E 35 61 20 6D 6F 64 5F 70 65 72 6C 2F  0.9.5a mod_perl/
0x00C0: 31 2E 32 32 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66  1.22..Last-Modif
0x00D0: 69 65 64 3A 20 4D 6F 6E 2C 20 30 38 20 41 70 72  ied: Mon, 08 Apr
0x00E0: 20 32 30 30 32 20 30 31 3A 33 34 3A 35 35 20 47  2002 01:34:55 G
0x00F0: 4D 54 0D 0A 45 54 61 67 3A 20 22 30 2D 38 34 62  MT..ETag: "0-84b
0x0100: 2D 33 63 62 30 66 33 62 66 22 0D 0A 41 63 63 65  -3cb0f3bf"..Acce
0x0110: 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 65 73  pt-Ranges: bytes
0x0120: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68  ..Content-Length
0x0130: 3A 20 32 31 32 33 0D 0A 43 6F 6E 6E 65 63 74 69  : 2123..Connecti
0x0140: 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65  on: close..Conte
0x0150: 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74  nt-Type: text/ht
0x0160: 6D 6C 0D 0A 0D 0A   ml....

The packet being returned from the server displays the normal output to a HEAD request of the server. Now let's look at the same packet running over SSL:

04/14-22:46:51.135042 192.168.0.5:443 -> 192.168.0.3:2592
TCP TTL:128 TOS:0x0 ID:18212 IpLen:20 DgmLen:339 DF
***AP*** Seq: 0x25992D24  Ack: 0xB641BA  Win: 0x4266  TcpLen: 20
0x0000: 00 06 5B 30 04 0C 00 20 78 0D 1F 4C 08 00 45 00  ..[0... x..L..E.
0x0010: 01 53 47 24 40 00 80 06 31 28 C0 A8 00 05 C0 A8  .SG$@...1(......
0x0020: 00 03 01 BB 0A 20 25 99 2D 24 00 B6 41 BA 50 18  ..... %.-$..A.P.
0x0030: 42 66 B9 04 00 00 17 03 00 01 26 46 E4 32 33 3E  Bf........&F.23>
0x0040: 1E 19 5E 9E FB DB 7F 55 41 73 09 9A 97 DE D7 65  ..^....UAs.....e
0x0050: A5 FD 00 0B 0B 9F 89 2A C2 4C 28 3B AD 0A 0A C9  .......*.L(;....
0x0060: A9 8D 57 54 AA DB 3D 53 9E C4 3D 0F 24 C8 DB 85  ..WT..=S..=.$...
0x0070: B8 2C 36 87 4E 1D 30 A5 2C F2 36 31 CC 48 58 69  .,6.N.0.,.61.HXi
0x0080: 3F A9 2A 8A 28 57 43 ED 4F C1 FF 2A B2 AF 2A BF  ?.*.(WC.O..*..*.
0x0090: 23 54 F0 AB 9D 6F 5D 07 21 CF DF 07 2E 73 2D 5D  #T...o].!....s-]
0x00A0: BC 18 8C E0 22 FA 84 80 17 EE 66 98 D9 CB 68 ED  ....".....f...h.
0x00B0: 18 76 D2 DE E6 FA 6F B7 0B 09 AD 24 6B 8C 97 0E  .v....o....$k...
0x00C0: 6F 26 8B 9F 58 ED FB 53 13 3E 1C 20 73 D3 BE A2  o&..X..S.>. s...
0x00D0: 8D C1 D2 20 09 F7 59 E1 9F D9 B2 84 49 58 DB 9F  ... ..Y.....IX..
0x00E0: B7 61 AC E5 A2 56 C0 3F 6E 7E 67 54 4E B3 2E E1  .a...V.?n~gTN...
0x00F0: A8 F8 6C 87 95 7B 62 BD 6E 5B 70 28 3C 89 8E D4  ..l..{b.n[p(<...
0x0100: ED AB 3C E0 3E 75 5B DF BC 82 7C 4F C8 45 7C 66  ..<.>u[...|O.E|f
0x0110: FB 73 B8 29 CC 57 2D F2 5C 66 59 0E BE 4A 3B 42  .s.).W-.\fY..J;B
0x0120: 2F 5F 32 1E E2 DD FB C1 84 E9 07 0C DE CD 0B 72  /_2............r
0x0130: 91 F5 3C 61 6E FF 66 F1 D8 9B 7C CB 25 59 73 71  ..<an.f...|.%Ysq
0x0140: B9 02 33 15 71 B9 4B 9D FC FF F0 F2 B1 52 D7 54  ..3.q.K......R.T
0x0150: 42 21 E4 B3 F7 5D 77 F3 6A 16 4E 19 40 A2 BC D9  B!...]w.j.N.@...
0x0160: C4   .

Everything is now encrypted and beyond the prying eyes of the attacker. The value of SSL is simple: SSL encrypts traffic between two hosts, significantly reducing the ability of an attacker to access sensitive traffic and record information such as passwords. Don't be fooled, though, because SSL doesn't truly provide security. All that SSL does is provide a secure means of communication and eavesdropping, similar to scrambling your voice over a wireless phone; and even that is questionable with the availability of tools such as ssldump (http://www.rtfm.com/ssldump/), which allows the decrypting of SSL traffic given the SSL certificate.

 



Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net