Tweet
Web applications and web servers have many of the vulnerabilities other pieces of software has. For some organizations the Internet facing website offering web services may be only and most important thing. Web sites and the services they offer may be the only face of the organization that have no traditional locations. Taking down or compromising these systems can have a fatal impact on the target company and therefore be of value to an attacker.
Flawed Web Design
One way to exploit a web application may be the code itself. Comments and hidden form field tags that may yield useful information to an attacker. Although comments and hidden form fields are not meant to be presented to the end user an attacker may find them. Searching the source code for keywords such as "FIXME" or "TODO" may reveal issues that are not yet fixed. It may also be possible to locate issues the vendor has not yet discovered themselves. E-mail addresses, subdomains and link to 3rd parties may also make an interesting find. As hidden fields are not meant for the end user these fields may even contain information an attacker benefit from altering in some manner. Altering information such as an item price in an online web shop kept in a hidden form field may allow an attacker to alter the price when buying the item. What would happen if this value was set to a value below zero?
Buffer Overflows
A fairly common vulnerability is in the web server itself, as in all software, is the buffer overflow which is what happens when it is possible to put more information into a buffer that it can hold. When an application or a process attempts to put more data in a buffer than it was allocated to hold, this data spills in to other buffers or into the stack of the process. This is why good programming practices and proper validation should be part of the programming policy. In some cases the result is corrupted information that may also lead to a denial of service attack and in worst case remote code execution (RCE).
Denial-of-Service Attack
A web site or web service is a fixed asset and is an easy target for attacks like the Denial-of-Service (DoS) attack. When this kind of attack is performed the web service may spend most or all resources on handling traffic from the attacker. Usually this will slow down the servers performance and in some cases crash the server. A variety of DoS attacks exists and they all have different impact. Ordinary ICMP packets will require less resources to handle than say a Levey 7 attack on the web application itself.
For the sake of this example I do not consider spoofed IP addresses and if that is not the case it is trivial to stop the attack just by blocking the attackers IP address.
Distributed Denial-of-Service Attack
This attack is almost the same as a DoS attack except for the fact that this attack will have more than one source; likely thousands or more. The effect of this attack has a far higher impact than the same attack originating from just one source and the big difference from a DoS attack is pure scale. This is also one factor that makes the attack harder to mitigate and often comes down to how much the target can handle in terms of bandwidth, processing power etc. A GEO firewall may be one way to minimize this kind of attack but it is likely not possible to completely stop this kind of attack.
Some common attacks in this category are...
Ping Flooding Attack
The attacking party sends as many ping packets as the resources available allows the party to send.
Smurf Attack
This attack is somewhat similar to the Ping Flood Attack but the destination is an intermediate network, a broadcast IP address, with the target as the spoofed source address, amplifying the attack. Several hosts in the intermediate network may reply to the spoofed source address with a ping reply.
SYN Flood Attack
SYN packets are sent to the victim triggering a SYN/ACK response but the attacker never reply with the final ACK which results in the server having many half-open connections filling the back-log to the maximum. The source IP address is usually spoofed, and sometimes useful for simultaneously attacking a second target.
IP Fragmentation Attack
This attack is an attempt to bypass some intrusion-detection systems (IDS). For an IDS system to analyze the full payload it has to wait for subsequent packets. The reason is that the IDS system will need more than just one fragment to reassemble the packet to be able to analyze it. When the IDS evaluates this packet to be malicious the fragments has already arrived at the target. Remark that an IDS works with some delay to minimize packetloss.
Banner Grabbing
A banner grab can sometimes reveal which software the web server is running and this often includes version numbers. Now and then information such as the operating system may be revealed. It is possible to sanitize this information to have the web server present bogus information so that the attacker may have to find this information in other ways. This kind of information may at first glance not be very useful but knowing what software and version the server is running may lead the attacker to an existing exploit or weakness for that particular software.
Error Messages
Error messages can reveal a lot of useful information about the web server and the application it is serving to the end user. Some times error messages reveal information such as the web server software and version. At other times it may information such as reveal file locations, variable names, usernames, DBMS software and more. Error messages can be suppressed or tuned to not give away critical information.
Web servers are the target of a wealth of attacks. One reason is that web servers are plentiful and a well orchestrated query on a search engine can find plenty of low hanging fruit such as outdated web servers, poorly written applications, installations with default settings etc. Google Dorks are popular for a reason.
Defacing a website can be aggressive or subtle, depending on the goal of the attacker, but either way the result is the same - a compromised web server.
Flawed Web Design
One way to exploit a web application may be the code itself. Comments and hidden form field tags that may yield useful information to an attacker. Although comments and hidden form fields are not meant to be presented to the end user an attacker may find them. Searching the source code for keywords such as "FIXME" or "TODO" may reveal issues that are not yet fixed. It may also be possible to locate issues the vendor has not yet discovered themselves. E-mail addresses, subdomains and link to 3rd parties may also make an interesting find. As hidden fields are not meant for the end user these fields may even contain information an attacker benefit from altering in some manner. Altering information such as an item price in an online web shop kept in a hidden form field may allow an attacker to alter the price when buying the item. What would happen if this value was set to a value below zero?
Buffer Overflows
A fairly common vulnerability is in the web server itself, as in all software, is the buffer overflow which is what happens when it is possible to put more information into a buffer that it can hold. When an application or a process attempts to put more data in a buffer than it was allocated to hold, this data spills in to other buffers or into the stack of the process. This is why good programming practices and proper validation should be part of the programming policy. In some cases the result is corrupted information that may also lead to a denial of service attack and in worst case remote code execution (RCE).
Denial-of-Service Attack
A web site or web service is a fixed asset and is an easy target for attacks like the Denial-of-Service (DoS) attack. When this kind of attack is performed the web service may spend most or all resources on handling traffic from the attacker. Usually this will slow down the servers performance and in some cases crash the server. A variety of DoS attacks exists and they all have different impact. Ordinary ICMP packets will require less resources to handle than say a Levey 7 attack on the web application itself.
For the sake of this example I do not consider spoofed IP addresses and if that is not the case it is trivial to stop the attack just by blocking the attackers IP address.
Distributed Denial-of-Service Attack
This attack is almost the same as a DoS attack except for the fact that this attack will have more than one source; likely thousands or more. The effect of this attack has a far higher impact than the same attack originating from just one source and the big difference from a DoS attack is pure scale. This is also one factor that makes the attack harder to mitigate and often comes down to how much the target can handle in terms of bandwidth, processing power etc. A GEO firewall may be one way to minimize this kind of attack but it is likely not possible to completely stop this kind of attack.
Some common attacks in this category are...
Ping Flooding Attack
The attacking party sends as many ping packets as the resources available allows the party to send.
Smurf Attack
This attack is somewhat similar to the Ping Flood Attack but the destination is an intermediate network, a broadcast IP address, with the target as the spoofed source address, amplifying the attack. Several hosts in the intermediate network may reply to the spoofed source address with a ping reply.
SYN Flood Attack
SYN packets are sent to the victim triggering a SYN/ACK response but the attacker never reply with the final ACK which results in the server having many half-open connections filling the back-log to the maximum. The source IP address is usually spoofed, and sometimes useful for simultaneously attacking a second target.
IP Fragmentation Attack
This attack is an attempt to bypass some intrusion-detection systems (IDS). For an IDS system to analyze the full payload it has to wait for subsequent packets. The reason is that the IDS system will need more than just one fragment to reassemble the packet to be able to analyze it. When the IDS evaluates this packet to be malicious the fragments has already arrived at the target. Remark that an IDS works with some delay to minimize packetloss.
Banner Grabbing
A banner grab can sometimes reveal which software the web server is running and this often includes version numbers. Now and then information such as the operating system may be revealed. It is possible to sanitize this information to have the web server present bogus information so that the attacker may have to find this information in other ways. This kind of information may at first glance not be very useful but knowing what software and version the server is running may lead the attacker to an existing exploit or weakness for that particular software.
Error Messages
Error messages can reveal a lot of useful information about the web server and the application it is serving to the end user. Some times error messages reveal information such as the web server software and version. At other times it may information such as reveal file locations, variable names, usernames, DBMS software and more. Error messages can be suppressed or tuned to not give away critical information.
Web servers are the target of a wealth of attacks. One reason is that web servers are plentiful and a well orchestrated query on a search engine can find plenty of low hanging fruit such as outdated web servers, poorly written applications, installations with default settings etc. Google Dorks are popular for a reason.
Defacing a website can be aggressive or subtle, depending on the goal of the attacker, but either way the result is the same - a compromised web server.