Website Architecture

Now that you have a reasonable understanding of some of the most common website languages, it is time to put it all together. Before you can understand how to perform an attack against web servers, you must understand how web traffic works. When you enter a website address into a browser, such as http://www.cisco.com, your computer first sends a DNS request to your DNS server. In this request, your computer is asking for the IP address for the Cisco.com website. Your DNS server will respond with the IP address of the website you are requesting (for example, 198.133.219.25).

Next, your web browser creates a socket. A socket is a combination of your IP address and the destination port number which, in the case of HTTP traffic, is TCP port 80. In this example (also illustrated in Figure 7-10), a socket would be created for 198.133.219.25:80. Your web browser then sends an HTTP GET request to the socket address of 198.133.219.25:80. The web server at this address listens to this request and returns a response code:

• 200 OK

• 404 Page Not Found

• 403 Access Denied

• 302 Object Moved

Figure 7-10. Common Web Traffic

If the response is 200 (OK), the requested data is returned to the web browser and presented to the browser. The requested data is typically formatted in a markup, or tagging, language such as XML, HTML, or SGML. HTML is the most common standard. You can read more about HTML in RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt).

You can perform two types of attacks against web servers:

• Attacks against the web server

• Web-based authentication attacks

Attacks against web servers include exploiting vulnerabilities in popular servers like the Apache Web Server or Microsoft Internet Information Server (IIS). You can use these attacks to upload files or code, crash a server, or obtain private information.

The second attack type, web-based authentication attacks, is gaining unauthorized access to a website. This is commonly done through brute force password attacks.

The ironic part about web attacks is that web communication can be secure. Unfortunately, too many developers leave problems in their code that make them open to exploits, and too many servers are left unpatched. This results in vulnerable systems that otherwise should not be. It is this negligence that leaves so many systems susceptible to attackers. As a penetration tester, you ultimately are testing for the degree of a company's negligence to protect their website presence.