Chapter 13: Web Servers & Web Apps Flashcards Preview

Ethical Hacker > Chapter 13: Web Servers & Web Apps > Flashcards

Flashcards in Chapter 13: Web Servers & Web Apps Deck (26)
Loading flashcards...
1
Q

Web application

A

an application that runs on a remote server and is access through a client (i.e. Netflix, where the application is presented through a client interface such as a browser or other piece of SW)

web apps are designed to run across platforms, whereas native apps are targeted for specific platforms

Most processing done on server!! Client is used for user input, server used for storage

***HTTPS //encrypts data in transit

2
Q

Server Administrators

A

concerned w/ safety, security, and functioning of web server from operational standpoint

3
Q

NW Administrators

A

concerned w/ infrastructure and functioning of NW as a whole

4
Q

End Users

A

they interact w/ the web server and application as a consumer & user of info

5
Q

The client & server

A

A server application is hosted on a web server and is designed to be accessed remotely via a web browser or web-enabled application; Information is stored on the server

Typically multiple clients can access the server simultaneously to retrieve, view, or modify data

6
Q

Why choose a web app over client-server models

A

Client app doesn’t have to be developed for each platform; since most web apps are run within a web browser, the underlying architecture becomes unimportant

7
Q

Web applications are dependent on the use of what technologies?

A

Server-side technologies such as ASP (active server pages) or PHP (Personal Home page or Hypertext Preprocessor)

Client-side technologies include Dynamic HTML (DHTML), Javascript, etc

8
Q

You can visualize a web app not only as consisting of a client and server, but as layers (3):

A

1) PRESENTATION LAYER //display of info to user on client side
2) LOGIC LAYER //manipulation of info (transformed or edited into the form into needs to be stored or presented in)
3) DATA LAYER //holding data for application as a whole

9
Q

define Stateless

A

Stateless HTTP refers to the fact that the protocol does not keep track of session information from one connection to the next; each communication in HTTP is treated as a separate connection

10
Q

define cookies

A

a file stored on a client system that is used as a token by applications to store information of some type

11
Q

Pieces of a web app (9)

A

1) LOGIN
2) WEB SERVER //foundation for whole system
3) SESSION TRACKING //storage of info
4) PERMISSIONS //determine what level of access user has to resources on server
5) APPLICATION CONTENT //info user is interacting with
6) DATA ACCESS //web pages in a web app to provide data access
7) DATA STORE //valuable info is contained here
8) LOGIC //responsible for interacting w/ user & providing correct info to be extracted from DB
9) LOGOUT //used by users to shut down their connection

12
Q

Vulnerabilities of Web Servers & Applications (7)

A

1) FLAWED WEB DESIGN //comments and hidden tags embedded into a web page can yield information;
2) BUFFER OVERFLOW //when application puts more data in a buffer than it was designed to hold; programmer could have malpractice & create a buffer w/ not restrictions; Overflow of data results in corruption or overwritten data; as a result data could lose its integrity, loss of data, disclosure of info
3) DoS
4) DDoS
5) BANNER INFORMATION //reveals information about server or web application//use telnet or PuTTY to extract banner info (would look like HTTP/1.1 ….Server: [name] etc) //telnet www..com 80
6) ERROR MESSAGES //can reveal info about a server or web application
7) VANDALIZING WEB SERVERS //defacing a website

13
Q

Common attack methods on Web Applications

A

1) INPUT VALIDATION //mechanism used to verify info as it is entered; sites w/ little restrictions placed on what data can be entered gives way for problems such as: DB manipulation, DB corruption, Buffer Overflow, Inconsistent data, SQL injections
2) XSS //input validation attack relies on user instead of application or data; can inject malicious code to gain info from session
3) INSECURE LOGON SYSTEMS //when invalid user ID, PW, or both is entered, the website might return that “an entry of an invalid user ID with a valid password”, sites should return generic info
4) SCRIPTING ERRORS //depending on the code used (ASP, CGI, JSP); vulnerabilities are presented
5) SESSION MGMT ISSUES
6) ENCRYPTION WEAKNESSES //data should be encrypted when stored and transmitted
7) DIRECTORY TRAVERSAL ATTACK //allows server to move outside of the web server directory & into other parts of host system

14
Q

Performing a PW crack

A

Tool used: Brutus

Page 576

15
Q

Scripting Error Attacks (5)

A

1) UPLOAD BOMBING //uploading mass files to fill up storage on the server making server crash or stop
2) POISON NULL BYTE ATTACK //passes special characters the scripts may not be designed to handle properly, the script may grant access where it shouldn’t
3) DEFAULT SCRIPTS //use of default scripts can allow attackers to exploit configuration issues & gain unauthorized access
4) SAMPLE SCRIPTS //web apps can include sample content that is left in place by servers; attackers can use that to carry out attack
5) POORLY WRITTEN OR QUESTIONABLE SCRIPTS //some include usernames, passwords

16
Q

Vulnerabilities of Session Mgmt Issues

A

1) LONG-LIVED SESSIONS //sessions that remain valid longer than they are needed
2) LOGOUT FEATURES //some sites don’t have a logout feature, but instead need you to close the browser
3) INSECURE OR WEAK SESSION IDENTIFIERS //easily guessed or predicted sessions IDs
4) GRANTING OF SESSION IDs to UNAUTHORIZED USERS //sometimes apps grant unauthorized users session IDs & redirect them to a logout page giving ability to request valid URLs
5) POOR OR NO PASSWORD CHANGE CONTROLS //old PW may not be required to change PWs
6) INCLUSION OF UNPROTECTED INFORMATION in COOKIES

17
Q

Vulnerabilities of weak encryptions

A

1) WEAK CIPHERS //weak encryption allows attacker to easily decrypt data
2) VULNERABLE SW //some SW implementations that encrypt the transmission of data, such as SSL (secure sockets layer), may suffer from poor programming

18
Q

Directory Traversal Attack takes advantage of errors such as:

A

1) ACCESS CONTROL LISTS (ACCESS CONTROL LISTS) //used to indicate which users and groups are allowed to access files and directories on a server as well as level of interaction allowed
2) ROOT DIRECTORY //directory on the server where users are specifically restricted; contains sensitive files

19
Q

Walk through Directory Traversal Attack

A

Web apps w/ dynamic pages (such as ASP or ASP.NET)

Input is usually received from browsers through GET or POST request methods, an example of a GET HTTP request URL:

http://beta.canadiens.com/show.asp?view=history.html

The browser requests the dynamic page SHOW.ASP from the server & also sends the parameter VIEW w/ the value HISTORY.HTML

When this request is executed on the web server, SHOW.ASP retrieves the file HISTORY.HTML from the server’s file system & returns to requesting party

We can alter the URL by doing the following to retrieve system.ini

http://beta.candiens.com/show.asp?view=../

the two dots allow you to traverse up one directory

20
Q

Countermeasures of a Directory Traversal Attack

A

1) RUNNING MODERN WEB SERVER SW OR UPDATE PATCHES

2) ENABLE FILTERING OF USER INPUT TO WEB SERVER

21
Q

Which of the following best describes a web application?

a) code designed to be run on the client
b) code designed to be run on the server
c) SQL code for DBs
d) targeting of webservices

A

b) code designed to be run on the server

22
Q

Which of the following can prevent bad input from being presented to an application?

a) filtering
b) validation
c) scanning
d) traversing

A

b) validation //validation input is done through client side whereas filtering is done through server side

23
Q

Which tool can be used to view web server information?

a) netstat
b) netcraft
c) warcraft
d) TCP view

A

d) tcp view allows viewing of TCP connections between client & server

24
Q

What is the command to retrieve header information from a web server using telnet?

a) telnet 80
b) telnet 443
c) telnet -port: 80
d) telnet -port:443

A

a) telnet 80

25
Q

What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel?

a) encryption
b) permissions
c) redirection
d) firewalls

A

a) encryption

26
Q

A common attack against web servers and web applications is

a) banner grab
b) input validation
c) buffer validations
d) buffer overflow

A

d) buffer overflow