| |
Here we see a comment left by the development/QA personnel
indicating what one should do if the image files do not show up. The
security breach is the Host name of the server that is mentioned
explicitly in the code, "VADER"..
An example of a verbose error message can be the response to an
invalid query. A prominent example is the error message associated
with SQL queries. SQL Injection attacks typically require the attacker
to have prior knowledge of the structure or format used to create SQL
queries on the site. The information leaked by a verbose error
message can provide the attacker the crucial information on how to
construct valid SQL queries for the backend database.
The following was returned when placing an apostrophe into the
username filed of a login page:
Verbose error message:
An Error Has Occurred.
Error Message:
System.Data.OleDb.OleDbException: Syntax error (missing
operator) in query expression 'username = ''' and password =
'g''. at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling (
Int32 hr) at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult
( tagDBPARAMS dbParams, Object& executeResult) at
In the first error statement a syntax error is reported. The error
message reveals the query parameters that are used in the SQL
query: username and password. This leaked information is the
missing link for an attacker to begin to construct SQL Injection attacks
against the site.
References
"Best practices with custom error pages in .Net", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;834452
"Creating Custom ASP Error Pages", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;224070
"Apache Custom Error Pages", Code Style
http://www.codestyle.org/sitemanager/apache/errors-Custom.shtml
"Customizing the Look of Error Messages in JSP", DrewFalkman.com
http://www.drewfalkman.com/resources/CustomErrorPages.cfm
ColdFusion Custom Error Pages
http://livedocs.macromedia.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/Errors6.htm
Obfuscators :
JAVA
http://www.cs.auckland.ac.nz/~cthombor/Students/hlai/hongying.pdf
5.3 Path Traversal
The Path Traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate a URL in such a
way that the web site will execute or reveal the contents of arbitrary
files anywhere on the web server. Any device that exposes an HTTP-
based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-
system, typically called the "web document root" or "CGI root"
directory. These directories contain the files intended for user access
and the executables necessary to drive web application functionality.
To access files or execute commands anywhere on the file-system,
Path Traversal attacks will utilize the ability of special-characters
sequences.
The most basic Path Traversal attack uses the "../" special-
character sequence to alter the resource location requested in the
URL. Although most popular web servers will prevent this technique
from escaping the web document root, alternate encodings of the
"../" sequence may help bypass the security filters. These method
variations include valid and invalid Unicode-encoding ("..%u2216" or
"..%c0%af") of the forward slash character, backslash characters
("..\") on Windows-based servers, URL encoded characters
("%2e%2e%2f"), and double URL encoding ("..%255c") of the
backslash character.
Even if the web server properly restricts Path Traversal attempts in
the URL path, a web application itself may still be vulnerable due to
improper handling of user-supplied input. This is a common problem
of web applications that use template mechanisms or load static text
from files. In variations of the attack, the original URL parameter
value is substituted with the file name of one of the web application's
dynamic scripts. Consequently, the results can reveal source code
because the file is interpreted as text instead of an executable script.
These techniques often employ additional special characters such as
the dot (".") to reveal the listing of the current working directory, or
"%00" NUL characters in order to bypass rudimentary file extension
checks.
Example
Path Traversal attacks against a web server
Attack: http://example/../../../../../some/file
Attack: http://example/..%255c..%255c..%255csome/file
Attack: http://example/..%u2216..%u2216some/file
Path Traversal attacks against a web application
Original: http://example/foo.cgi?home=index.htm
Attack: http://example/foo.cgi?home=foo.cgi
In the above example, the web application reveals the source code of
the foo.cgi file because the value of the home variable was used
as content. Notice that in this case the attacker does not need to
submit any invalid characters or any path traversal characters for the
attack to succeed. The attacker has targeted another file in the same
directory as index.htm.
Path Traversal attacks against a web application using special-
character sequences:
Original: http://example/scripts/foo.cgi?page=menu.txt
Attack:
http://example/scripts/foo.cgi?page=../scripts/foo.cgi%00txt
In above example, the web application reveals the source code of the
foo.cgi file by using special-characters sequences. The "../"
sequence was used to traverse one directory above the current and
enter the /scripts directory. The "%00" sequence was used both to
bypass file extension check and snip off the extension when the file
was read in.
Reference
"CERT¨ Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS"
http://www.cert.org/advisories/CA-2001-12.html
"Novell Groupwise Arbitrary File Retrieval Vulnerability"
http://www.securityfocus.com/bid/3436/info/
5.4 Predictable Resource Location
Predictable Resource Location is an attack technique used to
uncover hidden web site content and functionality. By making
educated guesses, the attack is a brute force search looking for
content that is not intended for public viewing. Temporary files,
backup files, configuration files, and sample files are all examples of
potentially leftover files. These brute force searches are easy
because hidden files will often have common naming convention and
reside in standard locations. These files may disclose sensitive
information about web application internals, database information,
passwords, machine names, file paths to other sensitive areas, or
possibly contain vulnerabilities. Disclosure of this information is
valuable to an attacker.
Predictable Resource Location is also known as Forced Browsing,
File Enumeration, Directory Enumeration, etc.
Example
Any attacker can make arbitrary file or directory requests to any
publicly available web server. The existence of a resource can be
determined by analyzing the web server HTTP response codes.
There are several of Predictable Resource Location attack variations:
Blind searches for common files and directories
/admin/
/backup/
/logs/
/vulnerable_file.cgi
Adding extensions to existing filename: (/test.asp)
/test.asp.bak
/test.bak
/test
6 Logical Attacks
The Logical Attacks section focuses on the abuse or exploitation of a
web application's logic flow. Application logic is the expected
procedural flow used in order to perform a certain action. Password
recovery, account registration, auction bidding, and eCommerce
purchases are all examples of application logic. A web site may
require a user to correctly perform a specific multi-step process to
complete a particular action. An attacker may be able to circumvent
or misuse these features to harm a web site and its users.
6.1 Abuse of Functionality
Abuse of Functionality is an attack technique that uses a web site's
own features and functionality to consume, defraud, or circumvents
access controls mechanisms. Some functionality of a web site,
possibly even security features, may be abused to cause unexpected
behavior. When a piece of functionality is open to abuse, an attacker
could potentially annoy other users or perhaps defraud the system
entirely. The potential and level of abuse will vary from web site to
web site and application to application.
Abuse of Functionality techniques are often intertwined with other
categories of web application attacks, such as performing an
encoding attack to introduce a query string that turns a web search
function into a remote web proxy. Abuse of Functionality attacks are
also commonly used as a force multiplier. For example, an attacker
can inject a Cross-site Scripting snippet into a web-chat session and
then use the built-in broadcast function to propagate the malicious
code throughout the site.
In a broad view, all effective attacks against computer-based systems
entail Abuse of Functionality issues. Specifically, this definition
describes an attack that has subverted a useful web application for a
malicious purpose with little or no modification to the original function.
Example
Examples of Abuse of Functionality include: a) Using a web site's
search function to access restricted files outside of a web directory, b)
Subverting a file upload subsystem to replace critical internal
configuration files, and c) Performing a DoS by flooding a web-login
system with good usernames and bad passwords to lock out
legitimate users when the allowed login retry-limit is exceeded. Other
real-world examples are described below.
Matt Wright FormMail
The PERL-based web application "FormMail" was normally used to
transmit user-supplied form data to a preprogrammed e-mail address.
The script offered an easy to use solution for web site's to gather
feedback. For this reason, the FormMail script was one of the most
popular CGI programs on-line. Unfortunately, this same high degree
of utility and ease of use was abused by remote attackers to send e-
mail to any remote recipient. In short, this web application was
transformed into a spam-relay engine with a single browser web
request.
An attacker merely has to craft an URL that supplied the desired e-
mail parameters and perform an HTTP GET to the CGI, such as:
http://example/cgi-bin/FormMail.pl? recipient=email@victim.example&message=you%20got%20spam
An email would be dutifully generated, with the web server acting as
the sender, allowing the attacker to be fully proxied by the web-
application. Since no security mechanisms existed for this version of
the script, the only viable defensive measure was to rewrite the script
with a hard-coded e-mail address. Barring that, site operates were
forced to remove or replace the web application entirely.
Macromedia's Cold Fusion
Sometimes basic administrative tools are embedded within web
applications that can be easily used for unintended purposes. For
example, Macromedia's Cold Fusion by default has a built-in module
for viewing source code that is universally accessible. Abuse of this
module can result in critical web application information leakage.
Often these types of modules are not sample files or extraneous
functions, but critical system components. This makes disabling
these functions problematic since they are tied to existing web
application systems.
Smartwin CyberOffice Shopping Cart Price Modification
Abuse of functionality is performed when an attacker alters data in an
unanticipated way in order to modify the behavior of the web
application. For example, the CyberOffice shopping cart can be
abused by changing the hidden price field within the web form. The
web page is downloaded normally, edited and then resubmitted with
the prices set to any desired value.
References
"FormMail Real Name/Email Address CGI Variable Spamming Vulnerability"
http://www.securityfocus.com/bid/3955
"CVE-1999-0800"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0800
"CA Unicenter pdmcgi.exe View Arbitrary File"
http://www.osvdb.org/displayvuln.php?osvdb_id=3247
"PeopleSoft PeopleBooks Search CGI Flaw"
http://www.osvdb.org/displayvuln.php?osvdb_id=2815
"iisCART2000 Upload Vulnerability"
http://secunia.com/advisories/8927/
"PROTEGO Security Advisory #PSA200401"
http://www.protego.dk/advisories/200401.html
"Price modification possible in CyberOffice Shopping Cart"
http://archives.neohapsis.com/archives/bugtraq/2000-10/0011.html
6.2 Denial of Service
Denial of Service (DoS) is an attack technique with the intent of
preventing a web site from serving normal user activity. DoS attacks,
which are easily normally applied to the network layer, are also
possible at the application layer. These malicious attacks can
succeed by starving a system of critical resources, vulnerability
exploit, or abuse of functionality.
Many times DoS attacks will attempt to consume all of a web site's
available system resources such as: CPU, memory, disk space etc.
When any one of these critical resources reach full utilization, the
web site will normally be inaccessible.
As today's web application environments include a web server,
database server and an authentication server, DoS at the application
layer may target each of these independent components. Unlike DoS
at the network layer, where a large number of connection attempts
are required, DoS at the application layer is a much simpler task to
perform.
Example
Assume a Health-Care web site that generates a report with medical
history. For each report request, the web site queries the database to
fetch all records matching a single social security number. Given that
hundred of thousands of records are stored in the database (for all
users), the user will need to wait three minutes to get their medical
history report. During the three minutes of time, the database server's
CPU reaches 60% utilization while searching for matching records.
A common application layer DoS attack will send 10 simultaneous
requests asking to generate a medical history report. These requests
will most likely put the web site under a DoS-condition as the
database server's CPU will reach 100% utilization. At this point the
system will likely be inaccessible to normal user activity.
DoS targeting a specific user
An intruder will repeatedly attempt to login to a web site as some
user, purposely doing so withan invalid password. This process will
eventually lock out the user.
DoS targeting the Database server
An intruder will use SQL injection techniques to modify the database
so that the system becomes unusable (e.g., deleting all data, deleting
all usernames etc.)
DoS targeting the Web server
An intruder will use Buffer Overflow techniques to send a specially
crafted request that will crashes the web server process and the
system will normally be inaccessible to normal user activity.
6.3 Insufficient Anti-automation
Insufficient Anti-automation is when a web site permits an attacker to
automate a process that should only be performed manually. Certain
web site functionalities should be protected against automated
attacks.
Left unchecked, automated robots (programs) or attackers could
repeatedly exercise web site functionality attempting to exploit or
defraud the system. An automated robot could potentially execute
thousands of requests a minute, causing potential loss of
performance or service.
For example, an automated robot should not be able to sign up ten
thousand new accounts in a few minutes. Similarly, automated robots
should not be able to annoy other users with repeated message
board postings. These operations should be limited only to human
usage.
References
Telling Humans Apart (Automatically)
http://www.captcha.net/
"Ravaged by Robots!", By Randal L. Schwartz
http://www.webtechniques.com/archives/2001/12/perl/
".Net Components Make Visual Verification Easier", By JingDong (Jordan) Zhang
http://go.cadwire.net/?3870,3,1
"Vorras Antibot"
http://www.vorras.com/products/antibot/
"Inaccessibility of Visually-Oriented Anti-Robot Tests"
http://www.w3.org/TR/2003/WD-turingtest-20031105/
6.4 Insufficient Process Validation
Insufficient Process Validation is when a web site permits an attacker
to bypass or circumvent the intended flow control of an application. If
the user state through a process is not verified and enforced, the web
site could be vulnerable to exploitation or fraud.
When a user performs a certain web site function, the application
may expect the user to navigate through a specific order sequence.
If the user performs certain steps incorrectly or out of order, a data
integrity error occurs. Examples of multi-step processes include wire
transfer, password recovery, purchase checkout, account signup, etc.
These processes will likely require certain steps to be performed as
expected.
For multi-step processes to function properly, web sites are required
to maintain user state as the user traverses the process flow. Web
sites will normally track a users state through the use of cookies or
hidden HTML form fields. However, when tracking is stored on the
client side within the web browser, the integrity of the data must be
verified. If not, an attacker may be able to circumvent the expected
traffic flow by altering the current state.
Example
An online shopping cart system may offer to the user a discount if
product A is purchased. The user may not want to purchase product
A, but product B. By filling the shopping cart with product A and
product B, and entering the checkout process, the user obtains the
discount. The user then backs out of the checkout process, and
removes product A, or simply alters the values before submitting to
the next step. The user then reenters the checkout process, keeping
the discount already given in the previous checkout process with
product A in the shopping cart, and obtains a fraudulent purchase
price.
References
"Dos and Don'ts of Client Authentication on the Web", Kevin Fu, Emil
Sit, Kendra Smith, Nick Feamster - MIT Laboratory for Computer Science
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf
Contact
Web Application Security Consortium
http://www.webappsec.org
For general inquiries, email contact@webappsec.org
Appendix
There are several web application security attack techniques that we are
unable to classify at this time. Within the appendix, there is summarized
documentation that describes some of these methodologies. These issues will
be handled systematically in version 2 of the Threat Classification.
1.1 HTTP Response Splitting
In the HTTP Response Splitting attack, there are always 3 parties (at
least) involved:
_ Web server, which has a security hole enabling HTTP Response Splitting
_ Target - an entity that interacts with the web server perhaps on behalf of
the attacker. Typically this is a cache server (forward/reverse proxy), or a
browser (possibly with a browser cache).
_ Attacker - initiates the attack
The essence of HTTP Response Splitting is the attacker's ability to send a single
HTTP request that forces the web server to form an output stream, which is then
interpreted by the target as two HTTP responses instead of one response, in the
normal case. The first response may be partially controlled by the attacker, but
this is less important. What is material is that the attacker completely controls the
form of the second response from the HTTP status line to the last byte of the
HTTP response body. Once this is possible, the attacker realizes the attack by
sending two requests through the target. The first one invokes two responses
from the web server, and the second request would typically be to some
"innocent" resource on the web server. However, the second request would be
matched, by the target, to the second HTTP response, which is fully controlled by
the attacker. The attacker, therefore, tricks the target into believing that a
particular resource on the web server (designated by the second request) is the
server's HTTP response (server content), while it is in fact some data, which is
forged by the attacker through the web server - this is the second response.
HTTP Response Splitting attacks take place where the server script
embeds user data in HTTP response headers. This typically happens
when the script embeds user data in the redirection URL of a
redirection response (HTTP status code 3xx), or when the script
embeds user data in a cookie value or name when the response sets
a cookie.
In the first case, the redirection URL is part of the Location HTTP response
header, and in the second cookie setting case, the cookie name/value is part of
the Set-Cookie HTTP response header.
The essence of the attack is injecting CRs and LFs in such manner that a second
HTTP message is formed where a single one was planned for by the application.
CRLF injection is a method used for several other attacks which change the data
of the single HTTP response send by the application (e.g. [2]), but in this case,
the role of the CRLFs is slightly different - it is meant to terminate the first
(planned) HTTP response message, and form another (totally crafted by the
attacked, and totally unplanned by the application) HTTP response message
(hence the name of the attack).
This injection is possible if the application (that runs on top of the web server)
embeds un-validated user data in a redirection, cookie setting, or any other
manner that eventually causes user data to become part of the HTTP response
headers.
With HTTP Response Splitting, it is possible to mount various kinds of attacks:
_ Cross-site Scripting (XSS): Until now, it has been impossible to mount
XSS attacks on sites through a redirection script when the clients use IE
unless all the location headers can be controlled. This attack makes it
possible.
_ Web Cache Poisoning (defacement): This is a new attack. The attacker
simply forces the target (i.e. a cache server of some sort - the attack was
verified on Squid 2.4, NetCache 5.2, Apache Proxy 2.0 and few other
cache servers) to cache the second response in response to the second
request. An example is to send a second request to
"http://web.site/index.html", and force the target (cache server) to cache the
second response that is fully controlled by the attacker. This is effectively a
defacement of the web site, at least as experienced by other clients, who
use the same cache server. Of course, in addition to defacement, an
attacker can steal session cookies, or "fix" them to a predetermined value.
_ Cross User attacks (single user, single page, temporary defacement: As a
variant of the attack, it is possible for the attacker not to send the second
request. This seems odd at first, but the idea is that in some cases, the
target may share the same TCP connection with the server, among several
users (this is the case with some cache servers). The next user to send a
request to the web server through the target will be served by the target
with the second response the attacker generated. The net result is having
a client of the web site being served with a resource that was crafted by the
attacker. This enables the attacker to "deface" the site for a single page
requested by a single user (a local, temporary defacement). Much like the
previous item, in addition to defacement, the attacker can steal session
cookies and/or set them.
_ Hijacking pages with user-specific information: With this attack, it is
possible for the attacker to receive the server response to a user request
instead of the user. Therefore, the attacker gains access to user specific
information that may be sensitive and confidential.
_ Browser cache poisoning: This is a special case of "Web Cache
Poisoning" (verified on IE 6.0). It is somewhat similar to XSS in the sense
that in both the attacker needs to target individual clients. However, unlike
XSS, it has a long lasting effect because the spoofed resource remains in
the browser's cache.
Example
Consider the following JSP page (let's assume it is located in /redir_lang.jsp):
<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>
When invoking /redir_lang.jsp with a parameter lang=English, it will redirect to
/by_lang.jsp?lang=English. A typical response is as follows (the web server is
BEA WebLogic 8.1 SP1 - see section "Lab Environment" in [1] for exact details
for this server):
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 12:53:28 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=English
Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003
271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj
ApqwBE!-1251019693; path=/
Connection: Close
302 Moved Temporarily
This document you requested has moved temporarily.
It's now at http://10.1.1.1/by_lang.jsp?lan
g=English.
As can be seen, the lang parameter is embedded in the Location response
header.
Now, we move on to mounting an HTTP Response Splitting attack. Instead of
sending the value English, we send a value, which makes use of URL-encoded
CRLF sequences to terminate the current response, and shape an additional
one. Here is how this is done:
/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0aShazam
This results in the following output stream, sent by the web server
over the TCP connection:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
Shazam
Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003
271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST
9UsS!-1251019693; path=/
[...]
Explanation: this TCP stream will be parsed by the target as follows:
A first HTTP response, which is a 302 (redirection) response. This response is
colored blue.
A second HTTP response, which is a 200 response, with a content
comprising of 19 bytes of HTML. This response is colored red.
Superfluous data - everything beyond the end of the second response is
superfluous, and does not conform to the HTTP standard.
So when the attacker feeds the target with two requests, the first being to the
URL
/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0aShazam
And the second to the URL
/index.html
The target would believe that the first request is matched to the first response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
And that the second request (to /index.html) is matched to the second
response:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
Shazam
And by this, the attacker manages to fool the target.
Now, this particular example is quite na•ve, as is explained in [1]. It doesn't take
into account some problems with how targets parse the TCP stream, issues with
the superfluous data, problems with the data injection, and how to force caching.
This (and more) is discussed in [1], under the "practical consideration" sections.
Solution
Validate input. Remove CRs and LFs (and all other hazardous
characters) before embedding data into any HTTP response headers,
particularly when setting cookies and redirecting. It is possible to use
third party products to defend against CR/LF injection, and to test for
existence of such security holes before application deployment.
Further recommendations are:
Make sure you use the most up to date application engine
Make sure that your application is accessed through a unique IP address (i.e.
that the same IP address is not used for another application, as it is with virtual
hosting).
References
[1] "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by Amit Klein,
http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf
[2] "CRLF Injection" by Ulf Harnhammar (BugTraq posting),
http://www.securityfocus.com/archive/1/271515
1.2 Web Server/Application Fingerprinting
Web server/application fingerprinting is similar to its predecessor, TCP/IP
Fingerprinting (with today's favorite scanner - Nmap) except that it is focused on
the Application Layer of the OSI model instead of the Transport Layer. The
theory behind web server/application fingerprinting is to create an accurate
profile of the target's software, configurations and possibly even their network
architecture/topology by analyzing the following:
_ Implementation differences of the HTTP Protocol
_ HTTP Response Headers
_ File Extensions (.asp vs. jsp)
_ Cookies (ASPSESSION)
_ Error Pages (Default?)
_ Directory Structures and Naming Conventions (Windows/Unix)
_ Web Developer Interfaces (Frontpage/WebPublisher)
_ Web Administrator Interfaces (iPlanet/Comanche)
_ OS Fingerprinting Mismatches (IIS on Linux?)
The normal SOP for attackers is to footprint the target's web presence and
enumerate as much information as possible. With this information, the attacker
may develop an accurate attack scenario, which will effectively exploit a
vulnerability in the software type/version being utilized by the target host.
Accurately identifying this information for possible attack vectors is vitally
importantly since many security vulnerabilities (such as buffer overflows, etc...)
are extremely dependent on a specific software vendor and version numbers.
Additionally, correctly identifying the software versions and choosing an
appropriate exploit reduces the overall "noise" of the attack while increasing its
effectiveness. It is for this reason that a web server/application, which obviously
identifies itself, is inviting trouble.
In fact, the HTTP RFC 2068 discusses this exact issue and urges web
administrators to take steps to hide the version of software being displayed by
the "Server" response header:
"Note: Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software that
is known to contain security holes. Server implementers are encouraged to
make this field a configurable option."
Due to the fact that it is possible to infer the type and version of web
server/application that is being used by a target by correlating information
gathering by other Information Disclosure categories, we will focus only on the
HTTP Protocol implementation analyzation that today's web fingerprinting tools
utilize.
Examples:
All of the examples below demonstrate analysis techniques of the composition
and interpretation of HTTP requests by the target web servers.
Implementation differences of the HTTP Protocol
Lexical - The lexical characteristics category covers variations in the actual
words/phrases used, capitalization and punctuation displayed by the HTTP
Response Headers.
_ Response Code Message - The error code 404, Apache reports "Not
Found" whereas Microsoft IIS/5.0 reports "Object Not Found".
Apache 1.3.29 - 404
Microsoft-IIS/4.0 - 404
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD /non-existent-file.txt HTTP/1.0
HTTP/1.1 404 Not Found
Date: Mon, 07 Jun 2004 14:31:03 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Connection: close
Content-Type: text/html; charset=iso-
8859-1
Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD /non-existent-file.txt HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 14:41:22 GMT
Content-Length: 461
Content-Type: text/html
Connection closed by foreign host.
_ Header Wording - The header "Content-Length" is returned vs. "Content-
length".
Netscape-Enterprise/6.0 - HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Mon, 07 Jun 2004 14:55:25 GMT
Content-length: 26248
Content-type: text/html
Accept-ranges: bytes
Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html
Connection closed by foreign host.
Syntactic - Per the HTTP RFC, all web communications are required to have a
predefined structure and composition so that both parties can understand each
other. Variations in the HTTP Response header ordering and format still exist.
_ Header Ordering - Apache servers consistently place the "Date" header
before the "Server" header while Microsoft-IIS has these headers in the
reverse order.
Apache 1.3.29- HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 15:21:24 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-
charset
TCN: choice
Last-Modified: Fri, 04 May 2001 00:00:38
GMT
ETag: "4de14-5b0-3af1f126;40a4ed5d"
Accept-Ranges: bytes
Content-Length: 1456
Connection: close
Content-Type: text/html
Content-Language: en
Expires: Mon, 07 Jun 2004 15:21:24 GMT
Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html
Connection closed by foreign host.
_ List Ordering - When an OPTIONS method is sent in an HTTP Request, a
list of allowed methods for the given URI are returned in an "Allow" header.
Apache only returns the "Allow: header, while IIS also includes a "Public"
header.
Apache 1.3.29- OPTIONS
Microsoft-IIS/5.0 - OPTIONS
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
OPTIONS * HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 16:21:58 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Length: 0
Allow: GET, HEAD, OPTIONS, TRACE
Connection: close
Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
OPTIONS * HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 7 Jun 2004 12:21:38 GMT
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
Allow: OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
Cache-Control: private
Connection closed by foreign host.
Semantic - Besides the words and phrases that are returned in the HTTP
Response, there are obvious differences in how web servers interpret both well-
formed and abnormal/noncompliant requests.
_ Presence of Specific Headers - A server has a choice of headers to include
in a Response. While some headers are required by the specification, most
headers (e.g. ETag) are optional. In the examples below, the Apache
servers response headers include additional entries such as: ETag, Vary and
Expires while the IIS server does not.
Apache 1.3.29- HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 15:21:24 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-
charset
TCN: choice
Last-Modified: Fri, 04 May 2001 00:00:38
GMT
ETag: "4de14-5b0-3af1f126;40a4ed5d"
Accept-Ranges: bytes
Content-Length: 1456
Connection: close
Content-Type: text/html
Content-Language: en
Expires: Mon, 07 Jun 2004 15:21:24 GMT
Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html
Connection closed by foreign host.
Response Codes for Abnormal Requests - Even though the same requests
are made to the target web servers, it is possible to interpretation of the request
to be different and therefore different response codes generated. A perfect
example of this semantic difference in interpretation is the "Light Fingerprinting"
check which the Whisker scanner utilizes. The section of Perl code below, taken
from Whisker 2.1's main.test file, runs two tests to determine if the target web
server is in fact an Apache server, regardless of what the Banner might report.
The first request is a "GET //" and if the HTTP Status Code is a 200, then the
next request is sent. The second request is "GET/%2f", which is URI Encoded -
and translates to "GET //". This time Apache returns a 404 - Not Found error
code. Other web servers - IIS - do not return the same status codes for these
requests.
# now do some light fingerprinting...
-- CUT --
my $Aflag=0;
$req{whisker}->{uri}='//';
if(!_do_request(\%req,\%G_RESP)){
_d_response(\%G_RESP);
if($G_RESP{whisker}->{code}==200){
$req{whisker}->{uri}='/%2f';
if(!_do_request(\%req,\%G_RESP)){
_d_response(\%G_RESP);
$Aflag++ if($G_RESP{whisker}-
>{code}==404);
} } }
m_re_banner('Apache',$Aflag);
After running Whisker against a target website, it reports, based on the pre-tests
that the web server may in fact be an Apache server. Below is the example
Whisker report section:
-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/4.0
-----------------------------------------------------------------------
Title: Alternate server type
Id: 103
Severity: Informational
Testing has identified the server might be an 'Apache' server. This
Change could be due to the server not correctly identifying itself (the
Admins changed the banner). Tests will now check for this server type
as well as the previously identified server types.
-----------------------------------------------------------------------
Not only does this alert the attacker that the web server administrators are savvy
enough to alter the Server banner info, but Whisker will also add in all of the
Apache tests to its scan which would increase its accuracy.
Solutions:
It is not possible to remove every single identifying piece of information provided
by your web server. The fact is that a determined attack will be able to identify
your web server software. Your goal should be to raise the bar of
reconnaissance to a height that will cause the attacker to probe hard enough that
they will most likely trigger a security alert. The steps below will aid in this task.
The solutions are listed in order from easiest to implement to the most complex.
Alter the Server Banner Information
It is possible to edit out and/or alter (for deception purposes) the "Server" field
information displayed by a web server's response headers. There has been
much debate in web security circles as to the amount of protection that can be
gained by changing the HTTP Server: token information. While altering the
banner info alone, and not taking any other steps to hide the software version,
probably doesn't provide much protection from REAL people who are actively
conducting reconnaissance, it does help with regards to blocking automated
WORM programs. Due to the increase in popularity of using worms to mass
infect systems; this method of protecting your web servers becomes vital. This
step could certainly buy organizations some time during the patching phase
when new worms are released into the wild and they are configured to attack
systems based on the server token response.
Apache Servers - ModSecurity has the SecServerSignature setting, which
allows the web admin to set the Server banner info from within the httpd.conf file
instead of editing the Apache source code prior to compilation.
IIS Servers - By installing the IISLockDown and URLScan tools, you can update
the banner info returned to clients.
Minimize the Verboseness of Information in Headers
Restrict the amount of information returned in the response headers. For
instance, Apache allows the administrator to control the verboseness of the
Server banner token by editing the ServerTokens directive:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
By minimizing the headers, you may hide information such as additional apache
modules that are installed.
Implement Fake Headers
An alternate technique for defeating/confusing web server fingerprinting is to
present a fake web topology. Attackers usually include Banner Grabbing
sessions as part of the overall Footprinting Process. During Footprinting, the
attacker is trying to gauge the target's enterprise architecture. By adding in
additional fake headers, we can simulate a complex web environment (I.E.-
DMZ). By adding additional headers to simulate the existence of a reverse proxy
server, we can create the "appearance" of a complex architecture.
For Apache servers, we can add the following httpd.conf entry to accomplish this
task:
_ Header set Via "1.1 squid.proxy.companyx.com (Squid/2.4.STABLE6)"
_ ErrorHeader set Via "1.1 squid.proxy.companyx.com
(Squid/2.4.STABLE6)"
_ Header set X-Cache "MISS from www.nonexistenthost.com"
_ ErrorHeader set X-Cache "MISS from www.nonexistenthost.com"
These entries add the "Via" and X-Cache HTTP response headers to all
responses as shown below:
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 30 Mar 2003 21:59:46 GMT
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-charset
TCN: choice
Via: 1.1 squid.proxy.companyx.com (Squid/2.4.STABLE6)
X-Cache: MISS from www.nonexistenthost.com
Content-Length: 2673
Connection: close
This gives the illusion that we are using a Squid Proxy server and are presenting
web data from a non-existent server. This might entice the attacker into either
launching Squid Exploits against our Apache server, which would of course be
unsuccessful or to attack the host specified in the X-Cache header with does not
actually exist.
Install Third Party Web Security Tools
By installing additional web security applications or tools, such as ModSecurity or
ServerMask, it is possible to either disrupt or total defeat today's web server
fingerprinting applications such as HTTPrint. As described in the example
sections above, these tools will probe target web servers with many different
requests to try and initiate a specific response. Below are some of the abnormal
requests which HTTPrint sends to the web server:
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "JUNKMETHOD / HTTP/1.0" 501
344 "-" "-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / JUNK/1.0" 400 381 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "get / HTTP/1.0" 501 330 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/0.8" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/1.2" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/3.0" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET /../../ HTTP/1.0" 400 344
"-" "-"
If we implement a tool such as ModSecurity for Apache servers, we can create
HTTP RFC compliant filters, which will trigger on these abnormal requests.
Here are some ModSecurity httpd.conf entries, which may be used:
# This will return a 403 - Forbidden Status Code for all Mod_Security actions
SecFilterDefaultAction "deny,log,status:403"
# This will deny directory traversals
SecFilter "\.\./"
# This entry forces compliance of the request method. Any requests that do NOT
# start with either GET|HEAD|POST will be denied. This will catch/trigger on
# junk methods.
SecFilterSelective THE_REQUEST "!^(GET|HEAD|POST)"
# This entry will force HTTP compliance to the end portion of the request. If
# the request does NOT end with a valid HTTP version, then it will be denied.
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"
Source Code Editing
This is the most complex task for fingerprinting countermeasures, however it is
the most effective. The risk vs. reward for this task could vary greatly depending
on your skill level of programming or your web architecture. Generally speaking,
this task includes editing the source code of the web server either prior to
compilation or with the actual binary using a binary editor. For open source web
servers such as Apache, the task is much easier since you have access to the
code.
Header Ordering - Below is a source code patch for the Apache 1.3.29 server
that will correct the DATE/SERVER order and also mimic the IIS OPTIONS
output data. This patch updates the http_protocol.c file in the
/apache_1.3.29/src/main directory. The OPTIONS section will return headers
which are normally associated with IIS response tokens. These include the
Public, DASL, DAV and Cache-Control headers.
--- http_protocol.c.orig Mon Apr 26 02:11:58 2004
+++ http_protocol.c Mon Apr 26 02:43:31 2004
@@ -1597,9 +1597,6 @@
/* output the HTTP/1.x Status-Line */
ap_rvputs(r, protocol, " ", r->status_line, CRLF, NULL);
- /* output the date header */
- ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r-
>request_time));
-
/* keep the set-by-proxy server header, otherwise
* generate a new server header */
if (r->proxyreq) {
@@ -1612,6 +1609,9 @@
ap_send_header_field(r, "Server", ap_get_server_version());
}
+ /* output the date header */
+ ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r-
>request_time));
+
/* unset so we don't send them again */
ap_table_unset(r->headers_out, "Date"); /* Avoid bogosity */
ap_table_unset(r->headers_out, "Server");
@@ -1716,7 +1716,9 @@
ap_basic_http_header(r);
ap_table_setn(r->headers_out, "Content-Length", "0");
+ ap_table_setn(r->headers_out, "Public", "OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH");
ap_table_setn(r->headers_out, "Allow", make_allow(r));
+ ap_table_setn(r->headers_out, "Cache-Control", "private");
ap_set_keepalive(r);
ap_table_do((int (*) (void *, const char *, const char *))
ap_send_header_field,
Reference:
"An Introduction to HTTP fingerprinting"
http://net-square.com/httprint/httprint_paper.html
"Hypertext Transfer Protocol -- HTTP/1.1"
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2068.html#sec-14.39
"HMAP: A Technique and Tool for Remote Identification of HTTP Servers"
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
"Identifying Web Servers: A first-look into Web Server Fingerprinting"
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-grossman.pdf
"Mask Your Web Server for Enhanced Security"
http://www.port80software.com/support/articles/maskyourwebserver
"Web Intrusion Detection and Prevention"
http://www.modsecurity.org
"IIS LockDown Tool 2.1"
http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9EFC0-BB30-
47EB-9A61-FD755D23CDEC&displaylang=en
"URLScan Tool"
http://www.microsoft.com/downloads/details.aspx?FamilyID=f4c5a724-cafa-
4e88-8c37-c9d5abed1863&DisplayLang=en
"ServerMask Tool"
http://www.port80software.com/products/servermask/
License
Terms and Conditions for Copying, Distributing, and Modifying
Items other than copying, distributing, and modifying the Content with
which this license was distributed (such as using, etc.) are outside the
scope of this license.
1. You may copy and distribute exact replicas of the OpenContent
(OC) as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices
that refer to this License and to the absence of any warranty; and
give any other recipients of the OC a copy of this License along with
the OC. You may at your option charge a fee for the media and/or
handling involved in creating a unique copy of the OC for use offline,
you may at your option offer instructional support for the OC in
exchange for a fee, or you may at your option offer warranty in
exchange for a fee. You may not charge a fee for the OC itself. You
may not charge a fee for the sole service of providing access to
and/or use of the OC via a network (e.g. the Internet), whether it be
via the world wide web, FTP, or any other method.
2. You may modify your copy or copies of the OpenContent or any
portion of it, thus forming works based on the Content, and distribute
such modifications or work under the terms of Section 1 above,
provided that you also meet all of these conditions:
a) You must cause the modified content to carry prominent notices
stating that you changed it, the exact nature and content of the
changes, and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the OC or any part
thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License, unless otherwise permitted under
applicable Fair Use law.
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the OC, and
can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the OC, the distribution of the whole must be on the terms of this
License, whose permissions for other licensees extend to the entire
whole, and thus to each and every part regardless of who wrote it.
Exceptions are made to this requirement to release modified works
free of charge under this license only in compliance with Fair Use law
where applicable.
3. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to copy,
distribute or modify the OC. These actions are prohibited by law if you
do not accept this License. Therefore, by distributing or translating
the OC, or by deriving works herefrom, you indicate your acceptance
of this License to do so, and all its terms and conditions for copying,
distributing or translating the OC.
NO WARRANTY
4. BECAUSE THE OPENCONTENT (OC) IS LICENSED FREE OF
CHARGE, THERE IS NO WARRANTY FOR THE OC, TO THE
EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS
AND/OR OTHER PARTIES PROVIDE THE OC "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK OF USE OF THE OC IS WITH YOU.
SHOULD THE OC PROVE FAULTY, INACCURATE, OR
OTHERWISE UNACCEPTABLE YOU ASSUME THE COST OF ALL
NECESSARY REPAIR OR CORRECTION.
5. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR
ANY OTHER PARTY WHO MAY MIRROR AND/OR REDISTRIBUTE
THE OC AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE OC, EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Copyright 2004, Web Application Security Consortium. All rights reserved.