Data easily discovered by Web Scanners:
Web scanners can be used to discover a wide variety of vulnerabilities on a web server. The following list shows the type of vulnerable data that can be easily discovered by a scanner. For each of these categories you should take extra care to ensure your server is protected and the data is securely locked down.
User names and passwords – An improperly secured webserver can grant access to anonymous web users by releasing user name and encrypted password lists. Since these pages are not directly linked to from within the site, a hacker must know where to look. This is made trivial if the default locations of these files remain unchanged. Even if the locations have been changed, a brute-force search can often reveal their new locations. Once a hacker has a complete list of user names and passwords they can start cracking the passwords using a number of password auditing techniques, including using many automated password crackers such as l0phtcrack, John the Ripper, and Cain.
Directory and file structure – If directory browsing is not turned off a hacker can learn about the file structure of the web server, thus exposing files and folders that the web administrator may not have meant to expose to the user. Once the hacker knows the directory or file they want access to they might be able to bypass a web page through the use of alternate means such as W-get, or an unsupported web browser such as lynx.
Helper files – Often helper files that are used to store information are improperly secured. If a hacker can access these files he/she can read any information in the file, which might contain secured directory paths, usernames and/or passwords.
Java applets, Flash and ActiveX controls – If a Java applet or ActiveX control creates any server or database connections a hacker may be able to intercept and change the packets going between the client and server. This could cause database problems, data exposure, data corruption, or even allow buffer overrun code to be executed on the server. Java Applets and Flash are extremely easy to decompile and should not be used for security applications. If you have written and deployed an ActiveX control it is extremely important to think through all of the client-side security issues. Controls are easy to repurpose for use on a malicious web page so be sure that you don't assume that only trusted code will be making calls into your control's interfaces.
Forms – Input from form elements that is not validated on the server can lead to many different server side problems including cross site scripting attacks, SQL server injection, server-side code execution and others.
Query strings – Unchecked Query Strings can result in incorrect SQL queries being executed directly on the database. For instance if a hacker knew that the username field from a form was going to be used in a SQL statement without being checked he/she could easily construct a SQL Query String that comments out the rest of the query and injects the hacker's malicious query. This query could return extra values, update rows, or drop tables in the database.
Cookie usage – Cookies can easily be stolen using cross site scripting attacks or client redirection. For this reason no personal information such as username-password pairs, addresses, phone numbers, etc should be stored in the cookie. Limit cookie usage to holding session variables verified on the server.
Hidden fields – Hidden fields are only hidden from the UI of the webpage, however they are easily read and modified by saving the webpage to the local computer or using a proxy.
Client side input validation – Client-side input validation is recommended only to provide feedback to the user. All input must be checked server-side. Client-side input validation is easily bypassed by downloading the webpage to the local computer, then removing the validation or by using a proxy.
Vulnerable scripts or helper applications – There have been a number of CGI scripts with security vulnerabilities that can allow a wide variety of damage to a server. Scanners can easily search for the existence of these scripts so that a hacker can exploit them. Similarly there are numerous helper applications that are in use on web servers that contain security flaws. An effective scanner maintains a database of all the vulnerable helper applications and will use devious means to determine if the applications exist on the server and are ripe for exploitation.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company