Web Server Hacking - Essay Example

Web Server Hacking Introduction In daily activities of people, the internet has grown into an integral element that does not only work as an entertainment platform, but communication, data collection, selling products, research and other business processes are some of the applications of the internet at the workplace. Potential employees benefit from online application of jobs and recruitment. Customer support services are more efficient when performed electronically as more customers get to access the services at the same time. As a result of the transmission of sensitive financial and confidential information, cyber criminals have chosen to engage in illegal activities over the internet. To add to the attraction and profitability of these hacking attacks is the proliferation of insecure web applications (Zachary, 2006). These attacks on computer systems with negative intent are not new. They go as far back as the eighties when hackers used their skills to break into computer systems and perform their illegal activities. The advent of web based applications, though, has led to the increase of sophistication in hacking attacks. The skill required to perform these attacks, on the other hand has lessened proportionately. In order to understand the need for security in one’s computer system, he or she should realize the risks involved. Most operating systems have a default configuration that is not designed with security as the chief focus. The default setup, instead, focus on functionality, communications and usability. There is therefore a need to understand the server vulnerabilities in a system in order to perform particular functions to improve security (Leyden, 2002). It is hence clear that web server hacking is an important topic that should be evaluated in detail and understood by users of computer systems. Discussion of Web Server Hacking When one tries to break into or use a computer system wrongly, he or she is considered an intruder. ‘Using wrongly’ is not a restricted term and can be used to represent an act of stealing confidential information or a minor offense of just misusing one’s email for spam (Zachary, 2006). Presently, more people both through the internet and corporate intranets are continuously attempting to test the various systems’ security. The motive differs in every instance but revenge and stealing for profit are some of the motives driving intruders. ‘Hacker’ and ‘attacker’ are the two terms that are used in describing a person who tries to get into networks and systems. An individual that likes to get into their computer system and establish how it works is a benign hacker. The one that gets into other people’s computer systems and networks is malicious hacker. ‘Attacker’ is a term benign hackers prefer the media would use to distinguish the malicious hacker from the benign hackers. An attacker is either an insider or an outsider. An insider can access the victim’s internal network legitimately. However, he or she misuses their privileges or impersonate users who are higher privileged. In most insider attack cases, the motive is either greed or revenge. An outside attacker defaces the victim’s web server or uses other means to attempt to attack the victim’s external presence from outside their network (Zachary, 2006). The motives in an outside attack are several and the possible attackers may range from random internet users to a partner network that is linked to the victim’s corporate network. The intruder can either access the target system through physical, remote or system intrusion. Physical intrusion applies when the attacker can access the victim’s machine. Here, the attacker can either take part of the machine (e.g. a hard drive) and read/write it on another machine or utilize special privileges granted at the console (Zachary, 2006). Remote intrusion applies when the attacker tries to get into the system remotely across the network. No special privileges are available to the attacker as he or she starts intruding. System intrusion applies on the assumption that the attacker has a level of privilege user account that is low. The attacker, through the use of a known exploit, can access administrative privileges if no latest security paths are available on the system. Web server attacks usually involve remote and system intrusions. DoS, DDoS and Black hat are types of web server attacks (Leyden, 2002). Denial of Service (DoS) is a type of attack where the computer resource is made unavailable to the intended user. A stream of requests is sent to a service on the server machine by the attacker so that all the resources may be exhausted. The attack involves flooding service ports, flooding mail servers, jamming networks and mis-configuring routers (Najmi, 2004). Distributed DoS (DDoS) is an attack whereby a daemon or agent is installed by the hacker on numerous hosts. A master who resides in any of the several hosts receives a command from the hacker which it then communicates to the agents that reside in the other servers calling for the attack to begin. Blocking one IP address or network cannot stop a DDoS attack hence it is more difficult to combat it. In this attack, traffic derives from hundreds or thousands of individual systems. The attack involves send mail attack, SNMP attack, SYN Flooding attack, IP fragmentation attack, Port scanning attack and FTB Bounce attack (Najmi, 2004). File Transfer Protocol (FTP) is the application used in transferring data and documents anonymously from the local machine to the server. The reverse also works. The FTP bounce attack slips past the application based firewalls in its attack. A file is uploaded to the FTP server by the hacker in this attack and a request to send this file to an internal server is performed. This file can either contain malicious software or a simple script which will occupy the internal server and use up all the memory as well as the CPU resources (Najmi, 2004). When a person uses software to systematically scan the entry points on another person’s machine, this is termed as a port scan. This software can be used legitimately in managing a network. An attack of this kind would entail a hacker entering into someone’s system and changing the set-up configuration, capturing passwords or leaving unidentifiable harassing messages. SYN flooding attack is one that identifies the TCP/IP communications protocol’s vulnerability and exploits it (Najmi, 2004). A non-existent system is created in the attack and the victim machine keeps responding to it. Packets are sent to the victim and it is asked to respond to a system or machine with an incorrect IP address. During its response the victim machine is flooded with the requests. A waiting period is initiated as the requests await a response until the packets start to time out and are dropped. The victim system is hence consumed by the request during this waiting period therefore it cannot respond to the legitimate requests. Reduction of size of IP packets or breaking them into smaller parts is a function performed sometimes in order to facilitate IP transition to take place over comparatively congested networks. Routers and intrusion detection systems will allow the packets to pass without any examination since they are small and their contents cannot be identified (Najmi, 2004). Due to the overflowing of the buffer once the packet reassembles at the other end, the machine might hang, reboot or show no effect whatsoever. A send mail attack involves a lot of messages being sent in a short period. Other attacks on web server are SQL injection, Bruce force attacks and cross-site scripting. Cross-site scripting is a major problem on websites since a vast majority of websites are vulnerable (Leyden, 2002). An arbitrary code on either the server or the client is run. The input strings, in either such boxes or forms, may not be properly sanitized so they can remove illegal characters. The non- sanitized string can escape the code of the form hence execute its own code that is hosted on another site and in this way the client’s machine will be exploited. SQL injection attack works on the same principle as XSS with the unsanitized strings injecting an SQL query into the database (Anderson, n.d.). The query inserted can either be new or request current information. In this way dozens of enumerated usernames will be created hence leading to compromise of a user account. Brute force attack applies when a list of passwords for a particular username are checked as the attacker attempts to guess the right one. A dictionary file catered to the intruder’s attack vector would guess the passwords more quickly. The user’s security question can also be used if the attacker has gathered enough information about the user. Web server vulnerabilities are used to determine exploitable points in a system. Remote code execution is a vulnerability which permits a hacker to retrieve any information they desire contained in the system through running arbitrary system level code on the vulnerable server (Siddhartha, 2010). SQL injection is another vulnerability that enables an attacker to retrieve important information from the database of a web server. Format string vulnerability arises when unfiltered user input in particular Perl or C functions that perform formatting as the format string parameter (Siddhartha, 2010). Reading, writing and denial of service are the three categories that this attack falls into. Cross-site scripting vulnerability involves the execution of a malicious URL by the victim whereby the executed URL is crafted in a way that makes it appear legitimate at first look. Username enumeration is a vulnerability that uses the backend validation script to inform the attacker whether the supplied username is correct or wrong. The attacker hence experiments with various usernames and with the help of these error messages the valid usernames will be determined (Zachary, 2006). In order to determine the vulnerabilities in one’s web server, scanning is carried out. Whisker is a web scanning tool that identifies web pages which have known security problems or the ones that should be removed in order for the web document root to be clean. In addition, it can initialize brute force attacks to block sites using HTTP basic authentification (Siddhartha, 2010). The author of this scanner, though, has not recently updated it. Zachary (2006) explains that stealth is a fast and comprehensive scanner which scans a range of IP addresses hence blocking sites that are potential threats. A disadvantage of stealth is that it cannot input a file list of IP addresses therefore focusing on specific servers or a web farm is impossible. Nessus is a web server vulnerability checker that scans servers for vulnerability. Nessus is even more advantageous as a scanner since it is not restricted to web servers only. More effort is spent setting up this scanner compared to stealth and whisky but it is actively maintained and has vulnerability checks that are up to date. TWWWscan/ Arirang are also a vulnerability scanner. The scanners evaluated are measures implemented to enumerate all user input fields and combat attacks. These measures that are put in place so that the surface of vulnerability can be reduced can be termed as Server hardening (Najmi, 2004). Once the number of available vectors is reduced, the surface of vulnerability is also reduced hence securing the system. Removal of unnecessary, usernames, logins, software and services are some of the actions taken to reduce these vectors. Various methods can be used to harden UNIX and Linux systems. They include applying a patch to the kennel, installing systems to detect intrusion and ensuring open network ports are closed (Najmi, 2004). Hardening scripts and tools can also be used in the process. Conclusion The computer system is exposed to very many potential intruders. The intruders may attack the target system through a number of attacks including black hat attacks, DoS attacks, port scan attack, SYN Flooding attack and buffer flow attacks. The vulnerability points that may be exploited are format string, remote code execution, SQL injection, username enumeration and cross-scripting vulnerabilities. In order to combat these vulnerabilities, scanners are used to scan the server and identify the vulnerabilities before they can be exploited by the attackers. These scanners are examples of the hardening processes used in order to secure the system. Despite all the efforts made by computer experts, the vulnerabilities can never be completely eradicated therefore web server attacks cannot be completely eliminated. However, they can be reduced through continual research and sophistication of approaches used in combating server attacks. References Anderson, C. (n.d): What are the common types of attacks on web servers? Tech Tips Demand Media. Retrieved September 21, 2011 from http://techtips.salon.com/common-types-attack-servers-2062.html Leyden, J. (2002): Web server vulnerability reaches all time high. The Register. Posted July 4, 2002. Retrieved September 21, 2011 from http://www.theregister.co.uk/2002/07/04/web_server_vulnerability_reaches_all/ Najmi. S (2004): Types of attacks on web servers. Techi Warehouse. Retrieved September 21, 2011 from http://www.techiwarehouse.com/engine/21b0d480/Types-of-Attacks-on-Web-Servers Siddhartha, S (2010): Five common Web application vulnerabilities. Symantec (Posted November 2). Retrieved September 21, 2011 from http://www.symantec.com/connect/articles/five-common-web-application-vulnerabilities Zachary, W. (2006): Hacking: The Basics. Retrieved September 21, 2011 from http://www.sans.org/reading_room/whitepapers/hackers/hacking-basics_955 Read More