Vulnerabilities of Web Servers and Applications

Web applications and web servers have many of the vulnerabilities you have encountered in this book so far, but others are unique to this environment. Because websites, servers, and applications are the side of the company the public usually encounters, they
represent an obvious target. Amplifying the issue is the fact that, as opposed to a couple of decades ago, many companies exist only within cyberspace with no brick-and-mortar location (for example, Amazon, eBay, and Facebook). Taking down or compromising these systems can be a coup for the attacker and devastating for the target company.

Let’s look at some of the vulnerabilities an attacker can exploit for gain.

Flawed Web Design

One common way to exploit a web application or site is in the code itself. Comments and hidden tags that are embedded into a web page by the designer can yield information to an attacker. Although these types of tags and information are not intended to be displayed in a web browser, they can be viewed and analyzed using the View Code or Source capability present in most browsers.

The source code of a page could reveal something like the following:

<form method=”post” action=”../../cgi-bin/formMail.pl”>

<!–Regular FormMail options—->

<input type=hidden name=”recipient” value=”[email protected]”>

<input type=hidden name=”subject” value=”Message from website visitor”>

<input type=hidden

name=”required” value=”Name,Email,Address1,City,State,Zip,Phone1″>

<input type=hidden name=”redirect” value=”http://www.termina.com/received.htm”>

<input type=hidden name=”servername” value=”https://payments.termina.com”>

<input type=hidden name=”env_report” value=”REMOTE_HOST, HTTP_USER_AGENT”>

<input type=hidden name=”title” value=”Form Results”>

<input type=hidden

name=”return_link_url” value=”http://www.someplace.com/main.html”>

<input type=hidden name=”return_link_title” value=”Back to Main Page”>

<input type=hidden

name=”missing_fields_redirect” value=”http://www.termina.com/error.html”>

name=”missing_fields_redirect” value=”http://www.termina.com/error.html”>

<input type=hidden name=”orderconfirmation” value=”[email protected]”>

<input type=hidden name=”cc” value=”[email protected]”>

<input type=hidden name=”bcc” value=”[email protected]”>

<!–Courtesy Reply Options–>

The code contains information useful to an attacker. Although the information may not be completely actionable, it does provide something. Notice the email addresses and even what appears to be a payment processing server (payments.termina.com). This is information that an attacker can use to target an attack. The following is another example of a vulnerability in code that can be exploited:

<FORM ACTION =http://111.111.111.111/cgi-bin/order.pl” method=”post”

<input type=hidden name=”price” value=”6000.00″>

<input type=hidden name=”prd_id” value=”X190″>

QUANTITY: <input type=text name=”quant” size=3 maxlength=3 value=1>

In this example, the application designer has used hidden fields to hold the price of an item. Unscrupulous attackers could change the price of the item from $6,000.00 to $60.00 and make their own discount.

Buffer Overflow

A common vulnerability in web servers, and all software, is buffer overflow. A buffer overflow occurs when an application, process, or program attempts to put more data in a buffer than it was designed to hold. In practice, buffers should hold only a specific amount of data and no more. In the case of a buffer overflow, a programmer, either through lazy coding or other practices, creates a buffer in code but does not put restrictions on it. The data must go somewhere, which in this case means adjacent buffers. When data spills or overflows into the buffers it was not intended for, the result can be corrupted or overwritten data. If this occurs, that data can lose its integrity. In extreme cases, buffer overwriting can lead to anything from a loss of system integrity to the disclosure of information to unauthorized parties.

 

Please follow and like us:

Leave a Reply

Your email address will not be published.