Hacking Web Servers - An Overview
Web server is a system used for storing, processing, and delivering websites. It is designed to host web applications, allowing clients to access those applications.
It implements client-server model architecture, in which it has the server role, and the browser has the client role.
Web Servers consist of:
- Document root - a folder which stores HTML files of a website
- Server root - a folder which stores configuration, log, and executable files
- Virtual document tree - a type of storage located on a different disk and used when the original disk becomes full
- Virtual hosting - hosting more than one domain on a single server
- Web Proxy - a server placed between the client and server, which means that all requests coming from the client go through the proxy to the server, instead of directly going to the server
Web Server Threats and Attacks
Just as with any computer system, web servers too can be compromised. Attackers use various techniques to launch attacks on target web servers and gain unauthorized access.
Some of the attacks include:
DoS/DDoS Attacks
DoS/DDoS attack is an attack in which the attacker sends a large number of requests to the target web server to prevent the server from functioning properly.
DNS Server Hijacking
DNS server hijacking attack is an attack in which the attacker targets a DNS server and tempers with its mapping settings making it redirect clients to the attacker’s rogue server which serves the attacker’s malicious website.
DNS Amplification Attacks
DNS Amplification Attack is an attack in which the attacker uses the recursive DNS query to send a large number of requests with the target’s IP address to the DNS server prompting it to reply to the target’s IP address and in such a way overwhelms the target’s server.
Directory Traversal Attacks
Directory traversal attack is an attack in which the attacker manipulates the target URL to gain access to restricted directories.
MITM Attacks
Man-in-the-middle attack is an attack in which the attacker intercepts the traffic that is going from the client to the server and back. They do so by tricking the client into thinking that the attacker is a proxy. Once the client accepts the connection from the attacker, the entire communication between the client and the server goes through the attacker, allowing them to steal information.
Phishing Attacks
Phishing attack is an attack in which the attacker emails the target with malicious links. Once the target clicks on the link, they are redirected to a malicious website which prompts them to provide sensitive information. The attacker then steals this information.
Website Defacement
Website defacement attack is an attack in which the attacker makes changes to the target website’s content.
Web Server Misconfiguration
Web server misconfiguration attack is an attack in which the attacker exploits the vulnerabilities in the server misconfiguration.
HTTP Response Splitting Attacks
HTTP Response Splitting attack is an attack in which the attacker injects new lines into response headers, making the server split one response into two. The attacker is then able to control the first response coming from the server and redirect the client to a malicious website.
Web Cache Poisoning
Web cache poisoning is an attack in which the attacker replaces cached content with malicious one.
SSH Brute Force Attacks
SSH brute force attack is an attack in which the attacker acquires the SSH login credentials and create SSH tunnels between two hosts through which they can then transfer malicious content.
Web Server Password Cracking Attacks
Web server password cracking attack is an attack in which the attacker cracks the target server passwords and uses them to perform new attacks.
Web Application Attacks
Web application attack is an attack in which the attacker exploits vulnerabilities in the application code.
Hacking Methodology
Web Server Hacking Methodology provides attackers with steps to follow to execute a successful attack.
These steps are:
- Gather information about the target web server
- Learn about the server’s remote access capabilities, ports, and services
- Mirror the target website to browse it offline
- Discover vulnerabilities
- Perform session hijacking and password cracking attacks
During the information gathering step, the attacker might try to acquire the target’s robots.txt
file, which contains the directories and files that are hidden from web crawlers. This file could provide the attacker with information such as passwords, emails, and hidden links.
To perform the aforementioned steps and succeed in hacking, attackers use tools such as Metasploit and Wfetch.
Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities.
Wfetch is a tool that displays the request and response so that the communication can be easily understood. It can be used to create HTTP requests that test the performance of new Web sites or of Web sites that contain new elements, such as Active Server Pages (ASP) or wireless protocols.
Web Server Attacks Countermeasures
It is recommended that a web hosting network is comprised of three parts:
- Internet
- DMZ
- Internal network
The web server should be placed in DMZ so that it is isolated from both Internet and internal network. Each part should be protected by a firewall and have its own hub or switch.
Another countermeasure is to ensure that the server is regularly updated, and that security patches and hotfixes are applied. Ports and protocols that are not being used should be blocked, as well as all unnecessary ICMP traffic.
Default passwords and unused default accounts should be changed and disabled respectively.
Logs should be monitored frequently to ensure that the server hasn’t been compromised.
Changes in executable and regular files can be discovered by running Website Change Detection System script which periodically performs a hash comparison on files to determine if there were any modifications made to them and raise an alert.