Web Server Attacks

The Web Server Attacks which is an attacker can use many techniques to compromise a web server such as DoS/DDoS, DNS server hijacking, DNS amplification, directory traversal, Man-in-the-Middle (MITM)/sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, SSH brute force, web server password cracking, and so on. This section describes these possible attacks in detail.

Web Server Attack Module is part of Certified Ethical Hacker training at Infosavvy – We look at the anatomy of a web server attack in CEHv10 practical scenarios which are specially designed by Infosavvy, Then we use tools like nikto and metasploitable for penetration testing and find vulnerabilities in this webserver. Further the training module also explains about how an organization can adopt a number of policies like patch management, firewalls, vulnerability scanner etc to protect itself against web server attacks.

In Certified Ethical Hacker(CEHv10) training we cover all above attacks and explain you how to resolve this attacks. In infosavvy you also learn the pentesting  ECSA course. In ECSA training you learn the advanced security techniques and Licensed Penetration Tester (LPT) methodologies to cybersecurity professionals.

DoS/DDoS Attacks

A Do5/0DoS attack involves flooding targets with numerous fake requests so that the target stops functioning and can be unavailable to the legitimate users. using a web server DoS/DDoS attack, an attacker attempts to take the online server down or make it unavailable to the legitimate users. an internet server Dos/DDoS attack often targets high-profile web servers like banks, credit card payment gateways, and even root name servers.

To crash the web server running the appliance , attacker targets the following services by consuming the online server with fake requests.

Network bandwidth

Server memory

Application exception handling mechanism

CPU Usage

Hard disk space

Database space

Related Product:- Certified Ethical Hacker | CEH Certification

DNS Server Hijacking

Domain Name System (DNS) resolves a domain name to its corresponding IP address. A user queries the DNS server with a domain name, and it delivers the corresponding IP address.

In a DNS server hijacking, an attacker compromises the DNS server and changes the mapping settings of the target DNS server to redirect toward a rogue DNS server so that it might redirect the user’s requests to the attacker’s rogue server. Thus, when the user types the legitimate URL in a browser, the settings will redirect to the attacker’s fake site.

DNS Amplification Attack

Recursive DNS Query may be a method of requesting DNS mapping. The query goes through domain name servers recursively until it fails to find the specified domain name to IP address mapping.

Following are the steps involved in processing recursive DNS request:
Step 1:

Users who want to resolve the IP address for a selected domain send a DNS query to the primary DNS server specified in its TCP/IP properties.

Steps 2 to 7:
If the requested DNS mapping isn’t present on the user’s primary DNS server, then it’ll forward the request to the root server. the root server will forward the request to.com namespace where the user could find DNS mappings. This process repeats recursively until DNS mapping is resolved.

Step 8:
Ultimately, when the system finds the primary DNS server for the requested DNS
mapping, it generates a cache for the IP address within the user’s primary DNS server.
Attackers exploit recursive DNS queries to perform a DNS amplification attack that leads to DDoS attacks on the victim’s DNS server.

Following are the steps involved in DNS amplification attack:
Step 1:
The attacker instructs compromised hosts (bots) to form DNS queries within the network.

Step 2:

All the compromised hosts use spoofed victim’s IP address and send DNS query requests to the victim’s primary DNS server configured in its TCP/IP settings.

Steps 3 to 8:
If the requested DNS mapping isn’t present on the victim’s primary DNS server, the server forwards the requests to the root server. the root server will forward the request to .com or respective TLD namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request.

Step 9:
After the first DNS server finds the DNS mapping for the victim’s request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim as bots are using the victim’s IP address. The replies to an outsized number of DNS mapping requests from the bots end in DDoS on the victim’s DNS server.

Also Read:- Concepts of Denial-of-Service Attack & Distributed Denial of Service Attack

Directory Traversal Attacks

An attacker could also be ready to perform a directory traversal attack thanks to a vulnerability present within the code of the online application. additionally, to the present, poorly patched or configured web server software can make the online server itself vulnerable to a directory traversal attack.

The design of web servers limits public access to some extent. Directory traversal is that the exploitation of HTTP through which attackers can access restricted directories and execute commands outside of the online server’s root directory by manipulating a URL. In directory traversal attacks, attackers use ../ (dot-dot-slash) sequence to access restricted directories outside of the online server’s root directory. Attackers can use the trial-and-error method to navigate outside of the basis directory and access sensitive information within the system.

An attacker exploits the software (web server program) on the online server to perform directory traversal attacks. The attacker usually performs this attack with the assistance of a browser. an internet server is vulnerable to this attack if it accepts input file from a browser without proper validation.

Man-in-the-Middle/Sniffing Attack

Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and web servers. In a MITM attack or sniffing attack, an intruder intercepts or modifies the messages exchanged between the user and web server through eavesdropping or intruding into a connection. this enables an attacker to steal sensitive user information like online banking details, usernames, passwords, and so on, transferred over the online to the webserver. The attacker lures the victim to attach to the online server by pretending to be a proxy. If the victim believes and agrees to the attacker’s request, then all the communication between the user and therefore the webserver passes through the attacker. during this way, the attacker can steal sensitive user information.

Phishing Attacks

Attackers perform a phishing attack by sending an email containing a malicious link and tricking the user to click it. Clicking the link will redirect the user to a fake website that appears almost like the legitimate website. The attackers create such websites using their address hosted on web servers. When a victim dicks on the malicious link believing the link may be a legitimate website address, it redirects to the malicious website hosted on the attacker’s server. the web site prompts the user to enter sensitive information like username, passwords, financial account information, Social Security numbers, then on and divulges the info to the attacker. Later, the attacker could also be ready to establish a session with the legitimate website with the victim’s stolen credentials so as to perform a malicious operation on the target legitimate website.

Website Defacement

Website defacement refers to the unauthorized changes made to the content of one website or an entire website, resulting in changes to the visual appearance of the website or an internet page. Hackers forced an entry web servers and alter the hosted website by injecting code so as to feature images, popups, or text to a page in such how that the visual appearance of the page changes. In some cases, the attacker may replace the whole website rather than just changing single pages.

Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized changes are discovered and corrected. Attackers use sort of methods like MySQL injection to access an internet site in order to deface it. additionally to changing the visual appearance of the target website, attackers deface websites for infecting the computers of visitors by making the web site vulnerable to virus attacks. Thus, website defacement not only embarrasses the target organization by changing the appearance of its website but is also intended to harm its visitors.

Web Server Misconfiguration

Web server misconfiguration refers to the configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers like directory traversal, server intrusion, and data theft.

Following are some of the online server misconfigurations:
  • Verbose Debug/Error Messages
  • Anonymous or Default Users/Passwords
  • Sample Configuration and Script Files
  • Remote Administration Functions
  • Unnecessary Services Enabled
  • Misconfigured/Default SSL Certificates
An Example of a Web Server Misconfiguration:

Keeping the server configuration secure requires vigilance”— OWASP

Administrators who configure web servers improperly may leave serious loopholes within the web server thereby giving an attacker the prospect to exploit the misconfigured web server to compromise its security and acquire sensitive information. The vulnerabilities of improperly configured web servers could also be related to configuration, applications, files, scripts, or sites . An attacker looks for such vulnerable web servers to launch attacks. The misconfiguration of an internet server gives the attacker a path to enter into the target network of a corporation . These loopholes within the server also can help an attacker to bypass user authentication. Once detected, these problems are often easily exploited and end in the entire compromise of an internet site hosted on the target web server.

Below figure shows the configuration that permits anyone to look at the server status page, which contains detailed information about the present use of the web server, including information about the current hosts and requests being processed.

HTTP Response-Splitting Attack

An HTTP response-splitting attack may be a web-based attack during which the attacker tricks the server by injecting new lines into response headers, along side arbitrary code. It involves adding header response data into the input field in order that the server splits the response into two responses. this sort of attack exploits vulnerabilities in input validation. Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection are a number of the samples of this sort of attack. during this attack, the attacker controls the input parameter and cleverly constructs an invitation header that causes two responses from the server. The attacker alters one request to seem as two requests by adding header response data into the input field. the online server in turn responds to every request. The attacker can pass malicious data to a vulnerable application, and therefore the application includes the info in an HTTP response header. The attacker can control the primary response to redirect the user to a malicious website, whereas the online browser will discard other responses.

Example of an HTTP Response-Splitting Attack

In this example, the attacker sends a response-splitting request to the web server. The server splits the response into two and sends the primary response to the attacker and the second response to the victim. After receiving the response from web server, the victim requests service by providing credentials. At the same time, the attacker requests the index page. Then the online server sends the response to the victim’s request to the attacker and therefore the victim remains uninformed.

Web Cache Poisoning Attack

Web cache poisoning attacks the reliability of an intermediate web cache source. in this attack, the attackers swap cached content for a random URL with infected content. Users of the online cache source can unknowingly use the poisoned content instead of true and secured content when requesting the required URL through the online cache.

An attacker forces the online server’s cache to flush its actual cache content and sends a specially crafted request to store in cache. during this case, all the users of that web server cache will get malicious content until the servers flush the online cache. Web cache poisoning attacks are possible if the online server and application has HTTP Response-Splitting flaws.

SSH Brute Force Attack

Attackers use the SSH protocols to make an encrypted SSH tunnel between two hosts so as to transfer unencrypted data over an insecure network. Usually SSH runs on TCP port 22. so as to conduct an attack on SSH, the attacker scans the whole 55H server using bots (performs TCP port 22 port scan) to spot possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials to urge unauthorized access to an SSH tunnel. An attacker who gains the login credentials of SSH can use an equivalent SSH tunnel to transmit malware and other means of exploitation to victims without being detected. Attackers use tools like Nmap and crack on a Linux platform to perform an SSH brute force attack.

Web Server Password Cracking

An attacker tries to exploit weaknesses to hack well-chosen passwords. the foremost common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, and so on.

  • SMTP and FTP servers
  • Web shares
  • SSH tunnels
  • Web form authentication cracking

Attackers use different methods like social engineering, spoofing, phishing, using a trojan horse or virus, wiretapping, keystroke logging, and so on. Many hacking attempts start with cracking passwords and prove to the web server that they’re a legitimate user.

Web Server Password Cracking Techniques

Cracking a password is that the most common method of gaining unauthorized access to the web server by exploiting its flawed and weak authentication mechanism. Once the password is cracked, an attacker can use those passwords to launch further attacks.

Attackers can use the following password cracking techniques to extract passwords from web servers, FTP servers, SMTP servers, and so on. allow us to get into the details of varied password cracking tools and techniques employed by the attacker to crack passwords. Attackers can crack passwords either manually or with automated tools like Cain & Abel, Brutus, THC Hydra, and so on.

Following are the techniques attackers use to crack passwords:

– Guessing: This is the commonest method of cracking passwords during which the attacker guesses possible passwords either manually or by using automated tools given dictionaries. most of the people tend to use their pets’ names, loved ones’ names, license plate numbers, dates of birth, or other weak passwords like ”QWERTY,” “password,” “admin,” then on in order that they will remember them easily, The attacker exploits this human behaviour of keeping things simple to crack passwords.
– Dictionary Attack: A dictionary attack has a predefined file of words of various combinations, and an automatic program tries entering these words one at a time to see if any of them are the password. This won’t be effective if the password includes special characters and symbols. If the password may be a simple word, then it are often found quickly. Compared to a brute force attack, a dictionary attack is less time-consuming.
– Brute Force Attack: within the brute force method, all possible characters are tested, for instance , uppercase from A to Z, numbers from 0 to 9, and lowercase from a to z. This method is beneficial to spot one-word or two-word passwords. If a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password using a brute force attack.
– Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also uses symbols and numbers. Password cracking becomes easier with this method.

Web Application Attacks

Even if web servers are configured securely or are secured using network security measures like firewalls, a poorly coded web application deployed on the online server may provide a path to an attacker to compromise the online server’s security. If the online developers don’t adopt secure coding practices while developing web applications, it may give attackers the prospect to exploit vulnerabilities and compromise web applications and web server security. An attacker can perform different types of attacks on vulnerable web applications to breach web server security.

– Parameter/Form Tampering: during this sort of tampering attack, the attacker manipulates the parameters exchanged between client and server so as to switch application data, like user credentials and permissions, price and quantity of products, and so on.
– Cookie Tampering: Cookie tampering attacks occur when sending a cookie from the client-side to the server. differing types of toots help in modifying persistent and non-persistent cookies.
– Unvalidated Input and File Injection Attacks: Unvalidated input and file injection attacks are performed by supplying an unvalidated input or by injecting files into an internet application.
– SQL Injection Attacks: SQL injection t exploits the safety vulnerability of a database for attacks. The attacker injects malicious code into the strings, later passed on to the SQL Server for execution.
– Session Hijacking: Session hijacking is an attack during which the attacker exploits, steals,predicts, and negotiates the important valid web session’s control mechanism to access the authenticated parts of an internet application.
Directory Traversal: Directory traversal is that the exploitation of H1TP through which attackers can access restricted directories and execute commands outside of the online server’s root directory by manipulating a URL.
Denial-of.Service (DoS) Attack: A DOS attack is meant to terminate the operations of a website or a server and make it unavailable for access by intended users.

Cross-Site Scripting (XSS) Attacks: during this method, an attacker injects HTML tags or scripts into a target website.
Buffer Overflow Attacks: the planning of most web applications helps them in sustaining some amount of knowledge. If that amount exceeds the storage space available, the appliance may crash or may exhibit some other vulnerable behaviour. The attacker uses this advantage and floods the appliance with too much data, which successively causes a buffer overflow attack,
Cross-Ste Request Forgery (CSRF) Attack: An attacker exploits the trust of an authenticated user to pass malicious code or commands to the online server.
Command Injection Attacks: during this sort of attack, a hacker alters the content of the online page by using html code and by identifying the form fields that lack valid constraints.
ASCII text file Disclosure: source code disclosure may be a results of typographical errors in scripts or due to misconfiguration, like failing to grant executable permissions to a script or directory. This disclosure can sometimes allow the attackers to realize sensitive information about database credentials and secret keys and compromise the online servers.

Questions related to this topic

  1. What can an attacker do after gaining control of a Web server?
  2. How do I access a Web server?
  3. Which is a common web server vulnerability?
  4. Can you hack server sided games?

Learn CEH & Think like hacker

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Leave a Comment