TODAY THE PUBLIC FACE of just about every organization is its Web site. Companies host all sorts of content on their servers with the intent that their customers or potential customers will be able to find out more about their products and services. A Web site is the first point of contact for customers and also an attractive target for an attacker. With a well-placed attack, an individual with an ax to grind can embarrass a company by defacing its Web site or even by stealing information.
As a security professional, one of the tasks you will be charged with is safeguarding this asset and the infrastructure that is attached to it. Defending a Web server will require special care and knowledge to make the information and content available, but at the same time protect it from unnecessary exposure to threats. This task is trickier than it sounds because a balance has to be struck between making the content accessible to the appropriate audience while at the same time ensuring that it is secure. In addition, the Web server cannot be considered a standalone entity, because it will usually be attached to the organization's own network, meaning threats against the server can flow over into the company network as well.
Making the situation more complex is the fact that Web servers may host not only regular Web pages but also Web applications and databases. More and more organizations are looking to Web services such as streaming video and Web applications such as SharePoint to make a more dynamic experience for their clients. Also, organizations are hosting ever-increasing amounts of content such as databases online for a wide range of reasons. Each of these situations represents another detail that the security professional must address properly to make sure that the server and the organization itself are safe and secure.
In this chapter you will learn how to deal with the issues revolving around Web servers, Web applications, and databases. The issues involved are a diverse group, but they can be properly dealt with if due care is exercised.
One of the popular targets for attack is the Web server and its content. An attacker wanting to cause an organization grief can attack a server and steal information, vandalize a site, disrupt services, or even cause a public relations nightmare for an organization. Consider the fact that the Web server is the public face that customers and clients quite often see first, so the security of the server and the sites contained on it becomes even more of an issue to the security professional.
Before going too far, look at Web servers through the eyes of the three classes of individuals who will be interacting or concerned with the health and wellbeing of the Web server:
Server administrator—Concerned with the security of the server because it can provide an easy means of getting into the local network. It is not unlikely to have a Web server act as the entry point into the network for malicious code such as viruses, worms, Trojans, and rootkits. For server administrators, the problem becomes even more of a challenge because Web servers have become increasingly complex and feature-rich, with unknown or undocumented options that are left unaddressed.
Network administrator—Concerned with the fallout from the problems the server administrator may introduce or overlook. These security problems can lead to holes that can be exploited to gain access to the company network and the services therein. These administrators are aware that a Web server needs to be usable by the public and therefore accessible to the masses, but at the same time to be secure (which can be in conflict with the former goal).
End user—The individual who will work with the server the most to access content and services. Regular users just want to browse to a site and access their desired content; they do not think about things like Java and ActiveX and the very real security threats they may be introducing to their system. Making this more of an issue is the simple fact that the Web browser they are using to access this content can allow threats to bypass their or the company's firewall and have a free ride into the internal network.
Risks inherent with Web servers can typically be broken into three categories, each of which will be examined in more detail. Each of the categories of risk can be matched to the environments in which each of the users operates:
Defects and misconfiguration risks—Risks in this category include the ability to steal information from a server, run scripts or executables remotely, enumerate servers, and carry out denial of service (DoS) attacks. Attacks in this space are generally associated with the types of attacks a server administrator or webmaster would encounter.
Browser- and network-based risks—Risks of this type include an attacker capturing network traffic between the client (Web browser) and server.
Browser or client side risks—In this category are risks that affect the user's system directly, such as crashing the browser, stealing information, infecting the system, or having some impact on the system.
Note
Misconfiguration also covers the act of server administrators leaving default configurations in place.
Web servers have a lot of the same vulnerabilities as any other servers—plus all the vulnerabilities associated with hosting content. Web servers can be the only face of companies that have no traditional locations (for example, Amazon and eBay). So you must have a thorough understanding of the vulnerabilities that are present in this medium.
A potentially dangerous vulnerability seen in Web site design is what you aren't supposed to see. Specifically, the comments and hidden tags that are placed in a Web page by the Web designer. These items aren't designed to be displayed in the browser, but a savvy attacker can observe these items by viewing the source code of the page:
<form method="post" action="../../cgi-bin/formMail.pl"> <!--Regular FormMail options----> <input type=hidden name="recipient" value="[email protected]"> <input type=hidden name="subject" value="Message from website visitor"> <input type=hidden name="required" value="Name,Email,Address1,City,State,Zip,Phone1"> <input type=hidden name="redirect" value="http://www.someplace.com/received.htm"> <input type=hidden name="servername" value="https://payments.someplace.com"> <input type=hidden name="env_report" value="REMOTE_HOST, HTTP_USER_AGENT"> <input type=hidden name="title" value="Form Results"> <input type=hidden name="return_link_url" value="http://www.someplace.com/main.html"> <input type=hidden name="return_link_title" value="Back to Main Page"> <input type=hidden name="missing_fields_redirect" value="http://www.someplace.com/ error.html"> <input type=hidden name="orderconfirmation" value="[email protected]"> <input type=hidden name="cc" value="[email protected]"> <input type=hidden name="bcc" value="[email protected]"> <!--Courtesy Reply Options-->
When looking at the code, there is some information that is useful to an attacker. While the information may not be completely actionable as far as something that can be attacked it does give us something. In the code notice the presence of e-mail addresses and even the presence of what appears to be a payment processing server (https:// payments.someplace.com). This is information that an attacker may use to target an attack.
The following is another example of a vulnerability in code that can be exploited:
<FORM ACTION =http://111.111.111.111/cgi-bin/order.pl" method="post" <input type=hidden name="price" value="6000.00"> <input type=hidden name="prd_id" value="X190"> QUANTITY: <input type=text name="quant" size=3 maxlength=3 value=1>
In this example, the Web designer has decided to use hidden fields to hold the price of an item. Unscrupulous attackers could change the price of the item from $6,000.00 to $60.00 and make their own discount.
A common vulnerability in Web servers, and all software, is the buffer overflow. A buffer overflow occurs when an application, process, or program attempts to put more data in a buffer than it was designed to hold. In practice, buffers should hold only a specific amount of data and no more. In the case of a buffer overflow, a programmer, either through lazy coding or other practices, creates a buffer in code, but does not put restrictions on it. Much like too much water poured into an ice cube tray, the data must go someplace, which in this case means adjacent buffers. When data spills or overflows into the buffers it was not intended for, the result can be corrupted or overwritten data. In practice if this act occurs, the result can be that data loses its integrity. In extreme cases, buffer overwriting can lead to anything from a loss of system integrity to the disclosure of information to unauthorized parties.
Note
Comments are not a bad thing to have in code; in fact, comments are a good feature to have when developing an application and should be retained in the original source code. Code that is published into a public area such as a Web site should have these comments removed or sanitized.
Note
Buffer overflows are not exclusive to Web servers, Web applications, or any application; they can be encountered in any piece of code that you may use.
An attack that can wreak havoc with a Web server is the venerable DoS attack. As a fixed asset, a Web server is vulnerable to this attack much as any other server-based asset would be. When carried out against a Web server, all the resources on a Web server can be rapidly consumed, slowing down the performance of a server. A DoS is mostly considered an annoyance due to the ease at which it can be defeated.
Where a DoS attack is mostly an annoyance, the distributed denial of service (DDoS) attack is much more of a problem. A DDoS accomplishes the same goal as a DoS: to consume all the resources on a server and prevent it from being used by legitimate users. The different between a DDoS and a DoS is scale, using the concept of economy of scale. In a DDoS, many more systems are used to attack a target, crushing it under the weight of multiple requests at once. In some cases, the attack can be launched from thousands of servers at once against a target.
Some of the more common DDoS attacks include:
Ping flooding attack—A computer sends a ping to another system with the intention of uncovering information about the system. This attack can be scaled up so that the packets being sent to a target will force the system to go offline or suffer slowdowns.
Smurf attack—Similar to the ping flood attack, but with a twist to the process. In a Smurf attack, a ping command is sent to an intermediate network where it is amplified and forwarded to the victim. This single ping now becomes a virtual tsunami of traffic.
SYN flooding—The equivalent of sending a letter that requires a return receipt; however, the return address is bogus. If a return receipt is required and the return address is bogus, the receipt will go nowhere, and a system waiting for confirmation will be left in limbo for some period of time. An attacker that sends enough SYN requests to a system can use all the connections on a system so that nothing else can get through.
IP fragmentation/fragmentation attack—Requires an attacker to use advanced knowledge of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite to break packets up into "fragments" that can bypass most intrusion-detection systems. In extreme cases, this type of attack can cause hangs, lock-ups, reboots, blue screens, and other mischief.
A banner can reveal a wealth of information about a Web server for those who know how to retrieve it. Using a piece of software such as Telnet or PuTTY, it is possible to retrieve this information about a server.
What's in a banner? The following code illustrates what is returned from a banner:
HTTP/1.1 200 OK Server: <web server name and version> Content-Location: http://192.168.100.100/index.htm Date: Wed, 12 May 2010 14:03:52 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 12 May 2010 18:56:06 GMT ETag: "067d136a639be1:15b6" Content-Length: 4325
This header, which is easy to obtain, reveals information about the server that is being targeted. Web servers can have this information sanitized, but the webmaster must actually make the effort to do so.
This information can be returned quite easily from a Web server using the following command:
telnet www.<servername>.com 80
Note
Banners can be changed in most Web servers to varying degrees to meet the designer or developer's goals. You should become familiar with your Web application or server to see what you can configure and what is practical to do.
Permissions control access to the server and the content on it, but the problem is they can easily be incorrectly configured. Incorrectly assigned permissions have the potential to allow access to locations on the Web server that should not be accessible.
Note
Permissions should always be carefully assigned, configured, and managed. Even better, permissions should always be documented to ensure that the proper ones are in place.
While they might not seem like a problem, error messages can be a potential vulnerability as well giving vital information to an attacker. Error messages like 404 for example, tell a visitor that content is not available or located on the server. However there are plenty of other error messages that can be given each given different types of information from the very detailed to the very obscure.
Table 9-1 displays error messages that may be displayed in a Web browser or Web application when a connection is attempted to a Web server or service.
The messages in Table 9-1 come directly from Microsoft's development database.
Note
Error messages should be configured to be descriptive when doing development and testing, but when deployed into a production environment they should be sanitized.
Servers should be purpose-built to the role they will fill in the organization; anything not essential to this role should be eliminated. This process, known as hardening, will get rid of the features, services, and applications that are not necessary for the system to do its appointed job.
Note
Everything that is running on a system—such as a service, application, or process— is running something that can be targeted and exploited by an attacker.
Table 9-1. Partial list of IIS 6.0 messages.
DESCRIPTION | |
|---|---|
400 | Cannot resolve the request. |
401.1 | Unauthorized: Access is denied due to invalid credentials. |
401.2 | Unauthorized: Access is denied due to server configuration favoring an alternate authentication method. |
401.3 | Unauthorized: Access is denied due to an ACL set on the requested resource. |
401.4 | Unauthorized: Authorization failed by a filter installed on the Web server. |
401.5 | Unauthorized: Authorization failed by an ISAPI/CGI application. |
401.7 | Unauthorized: Access denied by URL authorization policy on the Web server. |
403 | Forbidden: Access is denied. |
403.1 | Forbidden: Execute access is denied. |
403.2 | Forbidden: Read access is denied. |
403.3 | Forbidden: Write access is denied. |
403.4 | Forbidden: SSL is required to view this resource. |
403.5 | Forbidden: SSL 128 is required to view this resource. |
403.6 | Forbidden: IP address of the client has been rejected. |
403.7 | Forbidden: SSL client certificate is required. |
403.8 | Forbidden: DNS name of the client is rejected. |
403.9 | Forbidden: Too many clients are trying to connect to the Web server. |
403.10 | Forbidden: Web server is configured to deny Execute access. |
403.11 | Forbidden: Password has been changed. |
Most operating systems come preconfigured with a number of user accounts and groups already in place. These accounts can easily be discovered through a little research on an attacker's part. These accounts can be used to gain access to the system in ways that can be used for no good.
Tip
Remember that discovering the default accounts in an operating system or environment is very easy because the system vendor generally has these details listed on its Web site.
Structured Query Language (SQL) injections are designed to exploit applications that solicit the client to supply data that is processed in the form of SQL statements. An attacker forces the SQL engine into executing commands unintended by the creator by supplying specially crafted input. These commands force the application to reveal information that is restricted.
SQL injections are an exploit in which the attacker "injects" SQL code into an input box or form with the goal of gaining unauthorized access or alter data.
Can be used to inject SQL commands to exploit non-validated input vulnerabilities in a Web app database.
Can be used to execute arbitrary SQL commands through a Web application.
Note
Structured Query Language (SQL)
is a language used to interact with databases. Using SQL it is possible to access, manipulate and change data in databases to differing degrees. The language is not designed for any specific vendor's database, though some vendor's have added their own customizations, and is commonly used in large database systems.
SQL injections require considerable skill to execute, but the effects can be dramatic. Simply put, SQL injections are designed to exploit "holes" in the application. If an attacker has the appropriate knowledge of the SQL language such an attack can yield a tremendous amount of access to the database on the Web site and the Web applications that rely on it.
So what are the tools you will need to perform an SQL injection? Not much in the scheme of things:
Web browser
Knowledge of SQL
Lack of input validation
Note
To be effective, an SQL injection does require a level of knowledge and comfort with the SQL language. However, browsers such as Mozilla Firefox do offer add-ons that make the level of knowledge less than it used to be. Other plugins that are available can assist in the process of locating weaknesses in a Web site or Web application giving the attacker the ability to target their attack.
The environment and platform affected can be:
Language—SQL
Platform—Any
SQL injections are common and serious issues with any Web site that uses a database as its back end. Those with the correct knowledge can easily detect and exploit flaws. Since a large of Web sites use databases as their back end to provide a rich experience to the visitor the potential for a Web site to be effected by this attack is possible on even small-scale sites.
Essentially an SQL injection is carried out by placing special characters into existing SQL commands and modifying the behavior to achieve the attacker's desired result.
The following example illustrates an SQL injection in action and how it is carried out. This example also illustrates the impact of introducing different values into an SQL query.
Tip
Take special note of the last two characters, which are two hyphens (--). These characters are significant, as they tell the database to treat everything following as a comment and therefore not executable. In the event that this query was modified, anything in the original query following the hyphens would now be ignored and everything prior would be executed.
In the following example, after an attacker with the username "kirk" inputs the string 'name'; DELETE FROM items;-- ' for itemName, then the query becomes the following two queries:
SELECT * FROM items WHERE owner = 'kirk' AND itemname = 'name'; DELETE FROM items;-- '
Several of the well known database products such as Microsoft's SQL Server and Seibel allow multiple SQL statements separated by semicolons to be executed at once. This technique is formally known as batch execution and allows an attacker to execute multiple arbitrary commands against a database. In other databases this technique will generate an error and fail, so knowing the database you are attacking is essential.
If an attacker enters the string 'name'; DELETE FROM items; SELECT * FROM items WHERE 'a' = 'a';, the following three valid statements will be created:
SELECT * FROM items WHERE owner = 'kirk' AND itemname = 'name'; DELETE FROM items; SELECT * FROM items WHERE 'a'='a';
A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.
Web servers are the targets of numerous types of attacks, but one of the most common attacks is the act of vandalism known as defacement. Defacing a Web site can be aggressive or very subtle, depending on the goals of the attacker, but in either case the goals are the same: to embarrass the company, make a statement, or just be a nuisance. In order to actually deface a Web site, it is possible to use a number of methods, depending on the attacker's own skill level, capabilities, and opportunities available. Any of the following methods may be used:
Let's take a look at some of the more common ways of attacking a Web server and the sites hosted on them.
Developers of Web applications have traditionally been less than careful regarding the type of input they will accept. In most cases, a user entering data into a form or Web site will have few if any restrictions placed up on them when he or she enters data. When data is accepted without restriction, mistakes both intentional and unintentional will be entered into the system and can lead to problems later on, such as the following:
System crashes
Database manipulation
Database corruption
Buffer overflows
Inconsistent data
A good example of input validation, or rather the lack of it, is a box on a form where a phone number is to be entered, but actually any form of data will be accepted. In some cases, taking the wrong data will simply mean that the information may be unusable to the owner of the site, but it could cause the site to crash or mishandle the information to reveal information onscreen.
Note
Always ask what type of data you are expecting in an application (such as a form) and make sure that this is the only type of data that is accepted.
Another type of attack against a Web server is the cross-site scripting (XSS) attack. It relies on a variation of the input validation attack, but the target is different because the goal is to go after a user instead of the application or data. An example of a XSS uses scripting methods to execute a Trojan with a target's Web browser; this would be made possible through the use of scripting languages such as JavaScript or VBScript. By careful analysis, an attacker can look for ways to inject malicious code into Web pages in order to gain information from session info on the browser, to elevated access, to content in the browser.
Web applications have become more popular in recent years, with companies deploying more of this class of software application. Applications such as Microsoft SharePoint, Moodle, and others have been deployed for all sorts of reasons, ranging from organization of data to simplified customer access. Applications in this category are typically designed to be accessed from a Web browser or similar client application that uses the HTTP protocol to exchange information between the client and server.
Software in this category can be written in any number of development languages, including Java or ActiveX. Web applications can be constructed with a variety of application platforms, such as BEA Weblogic, ColdFusion, IBM WebSphere, Microsoft .NET, and Sun JAVA technologies.
Exploitative behaviors:
Theft of information such as credit cards or other sensitive data
The ability to update application and site content
Server-side scripting exploits
Buffer overflows
Domain Name Server (DNS) attacks
Destruction of data
Making Web applications even more of a concern to the security professional is the fact that many Web applications are dependent on a database. Web applications will hold information such as configuration information, business rules and logic, and customer data. Using attacks such as SQL injections, an attacker can compromise a Web application and then reveal or manipulate data in ways that an owner may not have envisioned, much less intended.
Common vulnerabilities with Web applications tend to be somewhat specific to the environment, including factors such as operating system, application, and user base. With all these factors in mind, it can be said that Web application vulnerabilities can be roughly confined to the following categories:
Authentication issues
Authorization configuration
Session management issues
Input validation
Encryption strength and implementation
Environment-specific problems
If a Web application requires a user to log on prior to gaining access to the information in an application, this logon must be handled securely. An application that handles logons must be designed to properly handle invalid logons and passwords. Care must be taken that the incorrect or improper entry of information does not reveal information that an attacker could use to gain additional information about a system. An example of this situation is shown in Figure 9-1.
Applications can track information relating to improper or incorrect logons by users if so enabled. Typically, this information comes in log form with entries listing items such as:
Entry of an invalid user ID with a valid password
Entry of an valid user ID with an invalid password
Entry of an invalid user ID and password
Applications should be designed to return very generic information that does not reveal information such as correct usernames. Web apps that return message such as "username invalid" or "password invalid" can give an attacker a target to focus on— such as a correct password.
One tool designed to uncover and crack passwords for Web applications and Web sites is a utility known as Brutus. Brutus is not a new tool, but it does demonstrate one weapon that the attacker has to uncover passwords for Web site and applications. Brutus is a password cracker that is designed to decode different password types present in Web applications. The utility is designed for use by the security professional for testing and evaluation purposes, but an attacker can use it as well.
Brutus is as simple to use as are most tools in this category. The attack or cracking process using Brutus proceeds as follows:
Enter the IP address into the Target field in Brutus. This is the IP address of the server on which the password is intended to be broken.
Select the type of password crack to perform in the type field.
Brutus has the ability to crack passwords in HTTP, FTP, POP3, and NetBus.
Enter the port over which to crack the password.
Configure the Authentication Options for the system. If the system does not require a username or uses only a password or PIN number, choose the Use Username option.
For known usernames, the Single User option may be used and the username entered in the box below it.
Set the Pass Mode and Pass File options.
Brutus has the option to run the password crack against a dictionary word list.
At this point, the password-cracking process can begin; once Brutus has cracked the password, the Positive Authentication field will display it.
Again Brutus is not the newest password cracker in this category, but it is well known and effective. Other crackers in this category include THC Hydra.
Web applications, programs, and code such as Common Gateway Interface (CGI), ASP.NET, and JavaServer Pages (JSP) are commonly in use in Web applications and present their own issues. Using methods such as SQL injections and lack of input validation scripts can be a liability if not managed or created correctly. A savvy attacker can use a number of methods to cause grief to the administrator of a Web application, including the following:
Upload bombing—Upload bombing uploads masses of files to a server with the goal of filling up the hard drive on the server. Once the hard drive of the server is filled, the application will cease to function and crash.
Poison null byte attack—A poison null byte attack passes special characters that the scripts may not be designed to handle properly. When this is done, the script may grant access where it should not otherwise be given.
Default scripts—Default scripts are uploaded to servers by Web designers who do not know what they do at a fundamental level. In such cases, an attacker can analyze or exploit configuration issues with the scripts and gain unauthorized access to a system.
Sample scripts—Web applications may include sample content and scripts that are regularly left in place on servers. In such situations, these scripts may be used by an attacker to carry out mischief.
Poorly written or questionable scripts—Some scripts have appeared that include information such as usernames and passwords potentially letting an attacker view the contents of the script and read these credentials.
A session represents the connection that a client has with the server application. The session information that is maintained between client and server is important and can give an attacker access to confidential information if compromised.
Ideally a session will have a unique identifier, encryption, and other parameters assigned every time a new connection between client and server is created. After the session is exited, closed, or not needed, the information is discarded and not used again (or at least not used for an extended period of time), but this is not always the case.
Some vulnerabilities of this type include:
Long-lived sessions—Sessions between client and server should remain valid only for the length they are needed and then discarded. Sessions that remain valid for periods longer than they are needed allow attackers using attacks such as XSS to retrieve session identifiers and reuse a session.
Logout features—Applications should provide a logout feature that allows a visitor to log out and close a session without closing the browser.
Insecure or weak session identifiers—Session IDs that are easily predicted or guessed, so can be used by an attacker to retrieve or use sessions that should be closed. Some flaws in Web applications can lead to the reuse of session IDs.
Granting session IDs to unauthorized users—Sometimes applications grant session IDs to unauthenticated users and redirect them to a logout page. This can give the attacker the ability to request valid URLs.
Poor or lack of password change controls—An improperly implemented or insecure password change system, in which the old password is not required, allows a hacker to change passwords of other users.
Inclusion of and unprotected information in cookies—Information such as the internal IP address of a server that can be used by a hacker to ascertain more about the nature of the Web application.
In Web applications, encryption plays a vital role because sensitive information is frequently exchanged between client and server in the form of logons or other types of information.
When working on securing Web applications you must consider the safety of information at two stages, when it is being stored and when it is transmitted. Both stages are potential areas for attack and must be considered thoroughly by the security professional. When considering encryption and its impact on the application, the following are areas of concern:
Weak ciphers—Weak ciphers or encoding algorithms are those that use short keys or are poorly designed and implemented. Use of such weak ciphers can allow an attacker to decrypt data easily and gain unauthorized access to the information.
Vulnerable software—Some software implementations that encrypt the transmission of data, such as Secure Sockets Layer (SSL), may suffer from poor programming, and as such become vulnerable to attacks such as buffer overflows.
Some tools and resources are available that can help in assessing the security of Web applications and their associated encryption strategies:
OpenSSL, an open source toolkit used to implement the SSLv3 and TLS v1 protocols
http://www.openssl.org
The OWASP guide to common cryptographic flaws
http://www.owasp.org/asac/cryptographic/
Nessus security scanner that can list the ciphers in use by a Web server
http://www.nessus.org
WinSSLMiM can be used to perform an HTTPS man-in-the-middle attack.
http://www.securiteinfo.com/outils/WinSSLMiM.shtml
Stunnel, a program that allows the encryption of non-SSL-aware protocols
http://www.stunnel.org
One of the most attractive targets for an attacker is the database that contains the information about the site or application. Databases represent that "holy grail" to an attacker due to the information within in them: configuration information, application data, and other data of all shapes and sizes. An attacker that can locate a vulnerable database will find it a very tempting target to go pursue and may very well do so.
Note
Databases of any type can be vulnerable for any number of reasons no matter how secure or "unhackable" the vendor espouses them to be. Vulnerabilities will vary depending on the particular technology and deployment that is in use, but in every case the vulnerabilities are there.
The role of databases as the heart of a number of Web applications is well known and very common. Databases lie at the heart of many well-known Web applications such as Microsoft's SharePoint and other similar technologies. In fact, a majority of Web applications would not function without a database as their back end.
For all its power and complexities, a database can be boiled down into a very simple concept: It is a hierarchical, structured format for storing information for later retrieval, modification, management, and other purposes. The types of information that can be stored within this format vary wildly, but the concept is still the same: storage and retrieval.
In the database world databases are typically categorized based on how they store their data, these organizational types are
Relational database—With a relational database, data can be organized and accessed in different ways as appropriate for the situation. For example, a data set containing all the customer orders in a can be grouped by the Zip code in which the transaction occurred, by the sale price, by the buyer's company name, and so on.
Distributed database—A distributed database is designed to be dispersed or replicated between different locations across a network.
Object-oriented programming database—An object-oriented programming database is built around data-defined object classes and subclasses.
Within a database there are several structures designed to organize and structure information. Each structure allows the data to be easily managed, queried, and retrieved:
Record—Each record in a database represent a collection of related data such information about a person.
Column—Represents one type of data, for example, age data for each person in the database.
Row—One line of data in a database.
Note
SQL was developed by IBM in the early 1970s and has evolved considerably since then. In fact, SQL is the de facto language of databases and is used by systems such as Oracle, Siebel, Access, and Microsoft SQL Server.
In order to work with the data in a database, a special language is used. Structure Query Language (SQL) is a standard language for making interactive queries from and updating a database such as IBM DB2; Microsoft Access; and database products from Oracle, Sybase, and Computer Associates.
Databases have a broad range of applications for everything from storing simple customer data to storing payment and customer information. For example, in an e-commerce application when customers place an order their payment and address information will be stored within a database that resides on a server.
While the function of databases may sound mundane, databases really come into their own when linked into a Web application. A database linked as part of a Web application can make a Web site and its content much easier to maintain and manage. For example, if you use a technology such as ASP.NET, you can modify a Web site's content simply by editing a record in a database. With this linkage, simply changing a record in a database will trigger a change in any associated pages or other areas.
Note
While the database changes from server to server and application to application, the actual concept is the same. The finer details of every database will not be discussed because this would be impossible, but you can learn the broad details that will apply to just about every database.
Another very common use of databases, and one of the higher-profile targets, is in membership or member registration sites. In these types of sites, information about visitors who register with the site is stored within a database. This can be used for a discussion forum, chat room, or many other applications. With potentially large amounts of personal information being stored, an attacker would find this setup ideal for obtaining valuable information.
Note
Of course, the process of actually linking a database to a Web application or page is much more complex than detailed here, but the process is essentially the same no matter the technology.
In essence, a database hosted on a Web server behaves as a database resident on a computer. It is used to store, organize, and transmit data.
Databases can have a myriad of vulnerabilities that leave them susceptible to attack. These vulnerabilities are as varied as the environments the technologies are deployed into. Vulnerabilities include misconfiguration, lack of training, buffer overflows, forgotten options, and other details lurking in the wings waiting for an attacker.
Note
Network and security administrators often lose track of (or just don't know about) database servers on their network. While larger databases are more than likely to be on the administrator's radar, smaller ones that get bundled in with other applications can easily be overlooked.
Before you can uncover the vulnerabilities in databases it is necessary to know what type and where your databases reside. Databases can be easily missed because they may be installed as part of another application or just not reported by the application owner. For example, a product manufactured by Microsoft known as SQL Server Express is a small, free piece of software that is part of various applications that a typical user may install. As such, this database may go unreported by users who are unaware of the security issues involved.
A tool that is very effective at locating these "rogue" or unknown installations is a tool known as SQLPing 3.0. The description of this tool from the vendor's Web site describes the product:
"SQLPing 3.0 performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support, SQL Server installations are becoming increasingly difficult to discover, assess, and maintain. SQLPing 3.0 is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret out servers you never knew existed on your network so you can properly secure them."
A screenshot from SQLPing 3.0 is shown in Figure 9-2.
A cousin of SQLPing is a product known as SQLRecon. This product is very similar to SQLPing, but also employs additional techniques to discover SQL Server installations that may be hidden:
"SQLRecon performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support, SQL Server installations are becoming increasingly difficult to discover, assess, and maintain. SQLRecon is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret-out servers you never knew existed on your network so you can properly secure them."
Running a scan with either of these tools will give you information about where you may have SQL Server installations that you are unaware of.
Note
Don't get caught in the trap of thinking that these tools should be run only to detect hidden servers when you suspect that they exist. You should consider periodically running these tools, or similar ones, as an audit mechanism to detect servers that may pop up from time to time.
After a database has been located, the next step an attacker can choose to take is to see whether the password can be broken. A feature that is included in SQLPing3.0 is a password-cracking capability that can be used to target a database server and break its passwords. The password-cracking capabilities included with the product include the ability to use dictionary-based cracking methods to bust the passwords.
Note
The tools discussed so far have been targeted toward SQL Server, but other vendors have their databases on the market, too. If you need to crack passwords in some of these other technologies, a good tool is Cain. This tool has the ability to crack passwords of databases such as those found in SQL Server, MySQL, and Oracle password hashes.
Every database is prone to its own types of vulnerabilities, but there are some common ones that can be exploited using the right tools. Some common vulnerabilities include:
Unused stored procedures
Services account privilege issues
Weak or poor authentication methods enabled
No (or limited) audit log settings
Having knowledge of the database that you are using can go a long way toward thwarting these problems, but other there are some other methods that can be used. One effective method for uncovering problems is to consider the security problem from both an insider and outsider's perspective. Use tools and methods that an attacker that has no knowledge of the system might use.
Two pieces of software that are useful for perform audits on databases are known as NGSSquirrel and AppDetective.
NGSSquirrel from NGS Software is a tool used to audit databases to uncover vulnerabilities. In NGS Software's own words from its Web site:
"NGSSQuirreL for Oracle is our vulnerability assessment scanner that sets the standard. Developed with the help of the highly experienced NGSResearch Team, it has been specifically developed for use with Oracle Database Servers, allowing system administrators and security professionals to expose potential vulnerabilities. More than simply a scanner, it provides the capability to audit password quality, rectify identified threats, and manage users and roles as well as system and object privileges."
Note
NGS Software offers versions of this product for Oracle, SQL Server, DB2, Sybase, and Informix.
The other software mentioned is AppDetective. In the vendor's own words:
"With a policy driven scanning engine, AppDetectivePro identifies vulnerabilities and misconfigurations. Issues identified include default or weak passwords, missing patches, poor access controls, and a host of other conditions. A flexible assessment framework allows auditors to choose between an outside-in, 'hackers eye view' of the database which requires no credentials, or a more thorough inside-out scan which is facilitated through a read-only database account.
AppDetectivePro includes built-in templates to satisfy the requirements of security best practices and various regulatory compliance initiatives. Compliance standards covered include DISA STIG, NIST 800-53 (FISMA), PCI DSS, HIPAA, GLBA, Sarbanes-Oxley, ISO 27001, CoBIT, and Canada's MITS.
Protecting databases can be as simple as making sure their existence is not so obvious. Keeping a database hidden from casual and even some aggressive scans by attackers is not a difficult task because the tools are quite often at your fingertips. Most Web servers, Web applications, and the databases hosted in the environment include some security features that can make a huge difference in protecting the database from would-be attackers:
Learn the provided security features in the database system—Protect the stability of the database and its surrounding applications by evaluating the use of what is known as process isolation. Process isolation provides extra protection against catastrophic failure of a system by ensuring that one process crashing will not take others with it.
Evaluate the use of nonstandard ports—Some applications must run on standard ports such as 1433 for SQL Server. If your application does not require a specific port, consider changing it to one that is not commonly looked for or is unusual, making an attacker have to do more work.
Keep up to date—Keep on top of the patches and service packs that are made available for your system. Apply the patches where appropriate to ensure that you do not become a victim of a bug or defect that has already been addressed.
It's as good as its foundation—The database doesn't live on an island someplace by itself; it is installed on an operating system. Ensure that the operating system in use always has the latest patches and service packs installed.
Use a firewall—Don't fling a database into the void; use a firewall to protect it. A good firewall can provide tremendous protection to a database server, making sure that too much information is never exposed.
Today the public face of just about every organization is its Web site, along with its Web application and the features they offer. Companies tend to host a wide variety of content on the servers that their customers or potential customers will be interacting with. A Web site being the first point of contact for customers is also something that is an attractive target for an attacker. With a well-placed attack, an individual with an ax to grind can embarrass a company by defacing its Web site or stealing information.
As a security professional, one of the tasks you are charged with is safeguarding this asset and the infrastructure that is attached to it. Defending a Web server requires special care and knowledge to make the information and content available, but at the same time protect it from unnecessary exposure to threats. This task is trickier than it sounds because a balance has to be struck between making the content accessible to the appropriate audience while at the same time ensuring that it is secure. In addition, the Web server cannot be considered a standalone entity, because it will usually be attached to the organization's own network, meaning that threats against the server can flow over into the company network as well.
Making the situation more complex is the fact that Web servers may not only host regular Web pages but also Web applications and databases. More and more organizations are looking to Web services such as streaming video and Web applications such as SharePoint to make a more dynamic experience for their clients. More organizations are hosting content such as databases online for a wide range of reasons. Each of these situations represents another detail that the security professional must address properly to make sure that the server and the organization are safe and secure.
Input validation is a result of SOL injections.
True
False
Web applications are used to_______.
Allow dynamic content
Stream video
Apply scripting
Security controls
Which of the following challenges can be solved by firewalls?
Protection against buffer overflows
Protection against scanning
Enforcement of privileges
Ability to use nonstandard ports
Databases can be a victim of source code exploits.
True
False
The stability of a Web server does not depend on the operating system.
True
False
_______are scripting languages.
ActiveX
Java
CGI
ASP.NET
_______is used to audit databases.
Ping
IPConfig
NGSSquirrel
Browsers do not display _______.
ActiveX
Hidden fields
Java
Javascript
_______can be caused by the exploitation of defects and code.
Buffer overflows
SQL injection
Buffer injection
Input validation