Bibliographic Information
Preventing Web Attacks with Apache
By: Ryan C. Barnett
Publisher: Addison-Wesley Professional
Pub. Date: January 27, 2006
Print ISBN-10: 0-321-32128-6
Print ISBN-13: 978-0-321-32128-2
B. Apache Module Listing
|
Module Name |
Description |
Security Risk |
Recommend |
|---|---|---|---|
|
Mod_mmap_static |
Maps identified web pages directly into memory for fast access speeds. |
Minimal. |
Disable. |
|
Mod_vhost_alias |
Creates dynamically configured virtual hosts, by allowing the IP address and/or the Host: header of the HTTP request to be used as part of the pathname to determine what files to serve. |
Minimal. |
Disable. |
|
Mod_bandwidth |
Enables server-wide or per-connection bandwidth limits, based on the directory, size of files, and remote IP/domain. |
Minimal. Will not significantly assist with denial of service attacks. |
Disable. |
|
Mod_throttle |
Intended to reduce the load on your server and bandwidth generated by popular virtual hosts, directories, locations, or users according to supported polices that decide when to delay or refuse requests. Also mod_throttle can track and throttle incoming connections by IP address or by authenticated remote user. |
Minimal. Will not significantly assist with denial of service attacks. |
Disable. |
|
Mod_env |
This module allows for control of the environment that will be provided to CGI scripts and SSI pages. Environment variables may be passed from the shell that invoked the httpd process. Alternatively, environment variables may be set or unset within the configuration process. |
Enabling CGI and SSI within the httpd server may imply a significant security impact; however, the addition of mod_env is unlikely to increase the security risk significantly. |
Enable if you are using the CGI scripts for ErrorDocuments; otherwise, disable. |
|
Mod_log_config |
Provides for logging of the requests made to the server, using the Common Log Format or a user-specified format. |
Server logging provides useful statistical and security functionality on the web server. See the section on auditing below for a discussion on log management. |
Enable; configure to use common log format. |
|
Mod_log_agent |
Provides logging of the client user agents. |
Server logging provides useful statistical and security functionality on the web server. See the section on auditing for a discussion on log management. |
Disable; use log_config instead. |
|
Mod_log_referer |
Provides logging of the referer page. |
Server logging provides useful statistical and security functionality on the web server. See the section on auditing for a discussion on log management. |
Disable; use log_config instead. |
|
Mod_mime_magic |
Determines the MIME type of a file by looking at a few bytes of its contents. This provides functionality over and above mod_mime. |
Minimal. This does not significantly affect server security, but allows the mime-type of files to be correctly sent to the web browser client. |
Disable by default, but enable subject to web server requirements if mod_mime is insufficient. |
|
Mod_mime |
Determines the MIME type of a file by looking at the file extension. |
Minimal. This does not significantly affect server security, but allows the mime-type of files to be correctly sent to the web browser client. |
Enable. This module is normally an essential prerequisite for normal operation. |
|
Mod_negotiation |
Provides a content negotiation capability for web data. Content negotiation is the selection of the document (or image) that best matches the client’s capabilities, from one of several available documents. An example would be where three different languages are supported by three (otherwise identical) web pages. Web browsers that specify a preference for Spanish, for example, may be sent the Spanish language version, while English language speakers will receive the English version. |
Minimal. |
Disable unless you have an identified requirement for content negotiation. |
|
Mod_status |
This module provides information on server activity and performance through the meta-web page /server-status page. |
The server-status page can provide potential attackers with useful information about your web server configuration, from which targeted attack profiles can be derived. |
Disable. Use ACLs if you must implement. Note that although this module is normally active, most apache configurations disable the /server-status link elsewhere in the configuration file. |
|
Mod_info |
This module provides information on server activity and performance through the meta-web page /server-info page. |
The server-info page can provide potential attackers with useful information about your web server configuration, from which targeted attack profiles can be derived. |
Disable. Use ACLs if you must implement. Note that although this module is normally active, most Apache configurations disable the /server-info link elsewhere in the configuration file. |
|
Mod_include |
This module facilitates Server Side Includes (SSI). SSI are directives that are placed in HTML pages and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology. |
SSI facilitates the provision of dynamic content, which can potentially be the result of a server-side executable (shell / perl scripts, or other executables). Allowing the execution of applications from the web server increases the risk profile of the web server. Passing user input to external applications may further increase that risk. |
Disable unless the site administration benefits clearly outweigh the potential risk of enabling SSI. It is recommended that code evaluation/ checking procedures be implemented for any applications that are called by an SSI-enabled page. |
|
Mod_autoindex |
Provides automatic index generation for directories within the webroot that do not have a default html page (for example, index.html). |
Automatic index generation allows external users to see the entire contents of the directory. There are situations where this is appropriate, such as file archives. If there is an intention to rely on “security through obscurity” to protect web resources, then this feature should be disabled. |
Disable. |
|
Mod_dir |
This module redirects users to either an appropriate “index.html” file, or an automatically generated index (via autoindex) when a user requests a URL with a trailing slash character. |
This form of redirection is an accepted part of the normal operation of a web server. The security implications are minimal. |
Disable. |
|
Mod_cgi |
This module facilitates the execution of external applications, generally in order to provide dynamic content to a web page. |
CGI facilitates the provision of dynamic content, which can potentially be the result of a server-side executable (shell / perl scripts, or other executables). Allowing the execution of applications from the web server increases the risk profile of the web server. Passing user input to external applications may further increase that risk. Significant web server vulnerabilities have resulted from bugs in CGI code in the past. |
Disable unless you are using CGI scripts for ErrorDocuments. It is recommended that code evaluation/checking procedures be implemented for any applications that are called by a CGI-enabled page. |
|
Mod_asis |
This module facilitates the provision of a particular file via HTTP, without prepending HTTP headers that are a normal part of the file delivery. Files can therefore include their own custom HTTP headers. |
Minimal. |
Disable, unless there is a requirement for custom headers. |
|
Mod_imap |
This module facilitates server-side image-map processing. |
Minimal. |
Disable unless required. |
|
Mod_actions |
This module provides for executing CGI scripts based on media type or request method—for example, a CGI script can be run whenever a file of a certain type is requested. |
CGI facilitates the provision of dynamic content, which can potentially be the result of a server-side executable (shell / perl scripts, or other executables). Allowing the execution of applications from the web server increases the risk profile of the web server. Passing user input to external applications may further increase that risk. Significant web server vulnerabilities have resulted from bugs in CGI code in the past. |
Disable unless you have a specific requirement, and the benefits clearly outweigh the potential risk of enabling CGI. It is recommended that code evaluation/checking procedures be implemented for any applications that are called by a CGI-enabled page. |
|
Mod_spelling |
This module attempts to correct misspellings of URLs that users might have entered, by ignoring capitalization and by allowing up to one misspelling. |
Minimal. |
Disable. |
|
Mod_userdir |
This module allows Apache to include within the web directory hierarchy, a specific directory within the home directories of local system users. |
Users can create a directory (such as public_html) within their home directories. With the addition of mod_userdir, apache will look within this directory when a request in the format of http://localhost/~username is received. Files within user directories are generally outside the control of the normal site webmaster, and if CGI/SSI is used, can also be outside the control of the site security administrator. |
Disable, unless there is a clear benefit to be gained, and only as a result of a risk assessment. |
|
Mod_alias |
This module allows an administrator to maintain multiple document stores, under different directory hierarchies, and map them into the web document tree. For example, although the default document root may be /www, the /data/applications/executables could be mapped to the /apps directory in the web tree. As such, a request for http://localhost/index.html would go to /www/ index.html on the file system, whereas a request for http://localhost/apps/ index.html, would go to /data/applications/executables/index.html on the file system. |
Minimal. |
Enable. |
|
Mod_rewrite |
Mod_rewrite is a complex module that provides a rule-based URL-rewriting facility. Mod_rewrite is particularly useful when a site upgrade leads to changes in URL locations, but the site wishes to allow users to retain their normal bookmarks, and still be able to get to the new information. |
Mod_rewrite has no significant security implications. |
Enable. It allows for filtering of identified malicious requests. |
|
Mod_access |
Provides access control based on client hostname, IP address, or other characteristics of the client request. |
Mod_access provides access control based only on information provided by the connection layer, or the client browser. It is recommended that mod_access be used for access control only where the organization has control over the data provided. For example, access control by IP address is likely to be inappropriate for Internet connections, where the security administrator has no control over the IP address. Access control by IP address may be more appropriate for internal networks where address allocation and network monitoring facilitate a reduced risk profile. |
Enable for use with ACLs (IP, network names, and hostnames). |
|
Mod_auth |
This module allows the use of HTTP Basic Authentication to restrict access by looking up users in plain-text password and group files. Similar functionality and greater scalability is provided by mod_auth_dbm and mod_auth_db. HTTP Digest Authentication is provided by mod_auth_digest. |
Mod_auth provides a very basic authentication and access control facility that is usually difficult to administer for large volumes of users. Basic UNIX ‘crypt’ format passwords are used, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Enable for user ACLs. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication or LDAP authentication. If mod_auth is used, consider using a specific, designated authentication file outside the normal web document tree, rather than the alternative .htaccess files within the document directory. |
|
Mod_auth_anon |
This module allows the use of HTTP Basic Authentication to restrict access by looking up users in plain-text password and group files. Similar functionality and greater scalability is provided by mod_auth_dbm and mod_auth_db. HTTP Digest Authentication is provided by mod_auth_digest. |
Mod_auth provides a very basic authentication and access control facility that is usually difficult to administer for large volumes of users. Basic UNIX ‘crypt’ format passwords are used, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication, LDAP authentication, or ssh authentication using mod_auth_any. If mod_auth is used, consider using a specific, designated authentication file outside the normal web document tree, rather than the alternative .htaccess files within the document directory. |
|
Mod_auth_db |
This module allows the use of Berkeley database files for authentication purposes. |
Mod_auth_db provides a very basic authentication and access control facility that is usually difficult to administer for large volumes of users. Basic UNIX ‘crypt’ format passwords are used within the DB file, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication, LDAP authentication, or ssh authentication using mod_auth_any. If mod_auth_db is used, consider using a specific, designated authentication file outside the normal web document tree, rather than the alternative .htaccess files within the document directory. |
|
Mod_auth_any |
This module allows the use of an arbitrary command-line tool to authenticate a user. |
Mod_auth_any is a powerful authentication facility that enables apache to utilize external user databases (such as LDAP directories, or potentially even Windows 2000 active directory) to authenticate users against provided authentication details. |
Disable by default. If authentication details need to be synchronized with an external database, consider using this functionality. Note that the supplied username and password are passed as command-line arguments to the indicated authentication application. As such, users on the local system may potentially pick up the authentication information using the ‘ps’ command. Applications that verify the authentication information should also be evaluated in the context of buffer-overflow vulnerabilities, as the supplied userid/password may potentially contain overflow code. If mod_auth_any is used, consider using a specific, designated authentication file outside the normal web document tree, rather than the alternative .htaccess files within the document directory. |
|
Mod_auth_dbm |
This module allows the use of Berkeley DBM files for authentication purposes. |
Mod_auth_dbm provides a very basic authentication and access control facility that is usually difficult to administer for large volumes of users. Basic UNIX ‘crypt’ format passwords are used within the DBM file, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication or ssh authentication using mod_auth_any. If mod_auth_dbm is used, consider using a specific, designated authentication file outside the normal web document tree, rather than the alternative .htaccess files within the document directory. |
|
Mod_auth_ldap |
This module allows the use of an external LDAP database for authentication purposes. |
Mod_auth_ldap provides authenticationa and authorization from external ldap databases. |
Disable by default. Consider this authentication mechanism if the organization is interested in using an LDAP directory for authentication purposes. |
|
Mod_auth_mysql |
This module allows the use of an external MYSQL database for authentication purposes. |
Mod_auth_mysql provides an authentication and access control facility. Basic UNIX ‘crypt’ format passwords are used within the database, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication, LDAP, or ssh authentication using mod_auth_any. |
|
Mod_auth_pgsql |
This module allows the use an external postgresql database for authentication purposes. |
Mod_auth_pgsql provides an authentication and access control facility. Basic UNIX ‘crypt’ format passwords are used within the database, which could potentially be exported from /etc/passwd and /etc/shadow on UNIX systems to alleviate administration somewhat. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication, LDAP, or ssh authentication using mod_auth_any. |
|
Mod_auth_digest |
This module is similar to mod_auth, but allows the use of MD5 digest-encrypted passwords, rather than basic UNIX CRYPT passwords. |
Mod_auth_digest provides an authentication and access control facility using MD5-encrypted passwords, as enabled on many recent Linux distributions. |
Disable. If authentication is required, consider alternative authentication mechanisms, including certificate-based authentication, LDAP, or ssh authentication using mod_auth_any. |
|
Mod_proxy |
This module turns the apache web server into a web proxy server. |
Care should be taken with the configuration of proxy servers, as if the intent is to facilitate internal organization access to external web sites, there is a risk that the reverse could be enabled, allowing Internet users to potentially browse internal web servers. |
If this server is a normal web server, then this module is not required for the normal operation and it should be disabled. If this server is being used as a proxy or a reverse proxy, then this module must be enabled. |
|
Mod_cern_mata |
This module facilitates the inclusion of custom CERN header data when a web page is served to a client. |
Minimal. |
Disable. This module is not required for the normal operation of a web server. |
|
Mod_expires |
Facilitates the inclusion of custom expiry headers within web pages. |
Minimal. |
Disable. This module is not required for the normal operation of a web server. |
|
Mod_headers |
Facilitates the inclusion/ modification/removal of headers within web pages. |
Minimal. |
Enable. We will use this module to insert bogus headers to help obfuscate both our web server software version and our web architecture. |
|
Mod_usertrack |
Allows the web site administrator to track the actions of individual users on a web site using cookies. |
It should be noted that it is a client/user choice whether to accept cookies from the site or not. As such, the data derived from this module should not be considered accurate or comprehensive. |
Enable if you want to insert bogus cookies to emulate a different web server (i.e., ASPSESSIONIDGGQGQQXC for Microsoft-IIS). |
|
Mod_example |
This is an example module only, and should not be enabled on production servers. |
Minimal. |
Disable. This module is not required for the normal operation of a web server. |
|
Mod_unique_id |
This module generates a unique identifier for a URL that is (almost) guaranteed to be unique across a cluster of http servers. |
Minimal. |
Disable. For normal web server activity, even in a clustered environment, unique ids are not required. |
|
Mod_setenvif |
This module allows for control of the environment that will be provided to CGI scripts and SSI pages, based on attributes associated with the client HTTP request. Environment variables may be passed from the shell that invoked the httpd process. Alternatively, environment variables may be set or unset within the configuration process. Environment variables can be set, for example, only if the User-Agent string provided by the client matches “netscape.” |
Enabling CGI and SSI within the httpd server may imply a significant security impact; however, the addition of mod_setenvif is unlikely to increase the security risk significantly. |
The normal recommendation would be to disable this feature unless you have CGI/SSI enabled, and you have an identified requirement to pass specific, static, environment variables to your scripts based on items such as browser type/version. However, as the feature is used within most configuration files to force an HTTP 1.0 response (as opposed to HTTP 1.1) for older browser technology, the default for most web servers would be to enable this feature. |
|
Libperl |
This module allows a web author to embed a subset of the PERL language within a web page, to be acted upon by the web server prior to delivering HTML to the client. |
Enabling any active scripting feature within the httpd server can increase the risk to the web server if external user input is acted upon by the script in question. |
Disable this functionality unless you have a specific requirement for active scripting using the PERL language. Note that although executing the PERL script using CGI capabilities is an option, the PERL interpreter is executed each time the CGI script is loaded. Using embedded PERL via the PERL module only loads the interpreter once, therefore increasing average processing speed. |
|
Mod_php Libphp3 Libphp4 |
This module allows a web author to embed PHP (personal home page) language components within a web page, to be acted upon by the web server prior to delivering HTML to the client. |
Enabling any active scripting feature within the httpd server can increase the risk to the web server if external user input is acted upon by the script in question. |
Disable this functionality unless you have a specific requirement for active scripting using the PHP language. |
|
Libdav |
This module implements DAV server capabilities within Apache. DAV is a collaborative web development environment that allows multiple authors to update web data in a controlled fashion. |
DAV allows modification of web pages by remote users, and integrates into the default apache authentication and access control facilities. If DAV is enabled on a web server that also serves pages to the general public, consider either: 1) Using a reverse proxy server in front of the http server that blocks facilities such as “PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK” from non-internal sources, or 2) Using web-dav on an ‘acceptance’ server only, with changed data mirrored to the production (available to the internet) web server. |
Disable this functionality unless you have a specific requirement for multiple users to update files. If DAV is required, analyze the risk to the infrastructure in the context of a risk assessment. |
|
Mod_roaming |
Mod_roaming allows the use of an apache server as a Netscape Roaming Access server. This facilitates the storage of Netscape Communicator 4.5 preferences, bookmarks, address books, cookies, etc. on the server. Netscape Communicator web clients can be used to access and update the settings. |
An HTTP server that implements Mod_roaming should generally be a special-purpose web server, only used for the storage/management of roaming profiles. Both read and write protocols are implemented to facilitate roaming profile capabilities. |
Disable this functionality unless you exclusively utilize netscape clients with roaming-profile capabilities. It is recommended that this be used only for intranet clients unless an appropriate risk assessment has been conducted. |
|
Libssl |
The Apache SSL module facilitates the use of X.509 certificates to provide Secure-Sockets-Layer encryption (and potentially, authentication) capabilities to Apache. |
Web pages served via HTTPS will increase the processing requirements of your system, but provide a level of confidentiality between client web browser and the web server. |
Disable this functionality unless you require message confidentiality or authentication within an encrypted channel. Note that software or hardware x.509 authentication tokens can be supported with this module, assuming appropriate client-side infrastructure is in place. |
|
Mod_put |
This module supports uploads of web pages via the HTTP PUT method. |
Write access to your server web pages should be carefully considered in the context of an appropriate risk assessment. If mod_put is enabled on a web server that also serves pages to the general public, consider either: 1) Using a reverse proxy server in front of the http server that blocks facilities such as “PUT” from non-internal sources, or 2) Using mod_put on an ‘acceptance’ server only, with changed data mirrored to the production (available to the internet) web server. |
Disable this functionality unless you have a specific requirement for non-local users to update files. |
|
Mod_python |
This module allows a web author to embed a subset of the Python language within a web page, to be acted upon by the web server prior to delivering HTML to the client. |
Enabling any active scripting feature within the httpd server can increase the risk to the web server if external user input is acted upon by the script in question. |
Disable this functionality unless you have a specific requirement for active scripting using the Python language. Note that although executing the Python script using CGI capabilities is an option, the Python interpreter is executed each time the CGI script is loaded. Using embedded Python via the Python module only loads the interpreter once, therefore increasing average processing speed. |
C. Example httpd.conf File
Authentication Setup
-
Basic (Must have Mod_Auth implemented).Client’s web browser sends MIME base64-encoded user credentials (username + password) to the web server when the browser receives a “401—Authorization Required” status code. Basic Authentication is easy to implement, but does not provide any real security against sniffing attacks.
-
Digest (Must have Mod_Digest implemented).This makes sending passwords across the Internet more secure. It effectively encrypts the password before it is sent such that the server can decrypt it. It works exactly the same as Basic authentication as far as the end-user and server administrator are concerned. The use of Digest authentication will depend on whether browser authors write it into their products. While Digest authentication does help with protecting the user’s credentials, it does not protect the data itself. You should implement SSL if you need to protect sensitive data in transit.
Access Control: Where Clients Come From
-
Hostname or Domain
-
IP Address or IP Range
-
Client Request ENV
Hostname or Domain
IP Address and IP Range
Client Request ENV
Protecting the Root Directory
-
Disable FollowSymLinks in the DocumentRoot directory directive.
-
Do not enable the mod_userdir module.
-
If you must use mod_userdir for proper functionality, implement the Userdir disabled root directive.
Authorization
Credential/Session Prediction
Credential/Session Prediction Example
|
1.
|
Attacker connects to the web application acquiring the current session ID.
|
|
2.
|
Attacker calculates or Brute Forces the next session ID.
|
|
3.
|
Attacker switches the current value in the cookie/hidden form-field/URL and assumes the identity of the next user.
|
Apache Countermeasures for Credential/Session Prediction Attacks
|
1.
|
Make sure to use SSL to prevent network sniffing of valid credentials.
|
|
2.
|
Add both the “secure” and “httponly” tokens to all SessionID cookies. These two cookie options will help to secure the credentials by forcing the user’s browser to only send this sensitive data over an SSL tunnel and also prevent scripts from accessing this data. The best solution for implementing this is to have the application developers update the code to include this parameter when generating/sending cookies to clients. It is possible, however, to have Apache add this token into the outbound cookie if you utilize Mod_Perl. You could implement a perl handler that can hook into the output filter of Apache with code such as this:
# read the cookie and append the secure parameter
my $r = Apache->request;
my $cookie = $r->header_in('Cookie'};
$cookie =~ s/SESSION_ID=(\w*)/$1; secure; httponly/;
|
|
3.
|
Also with Mod_Perl, you can implement the Apache::TicketAccess module that was highlighted in the book Writing Apache Modules with Perl and C by Lincoln Stein and Doug MacEachern. This module was designed to have the client authenticate once, and then it issued a hashed “ticket” that is checked on subsequent requests. The hash is generated based on the following data: the user’s name, IP address, an expiration date, and a cryptographic signature. This system provides increased security due to its use of the cryptographic signature and use of the client’s IP address for validation. Due to the popularity of proxy servers these days, you could also update the IP address token to only check the Class C range of the data instead of the full address or you could substitute the X_FORWARDED_FOR client header that is added by many proxies.
|
-
Session IDs are random. Methods used to create secure session credentials should rely on cryptographically secure algorithms.
-
Session IDs are large enough to thwart Brute Force attacks.
-
Session IDs will expire after a certain length of time. (1–2 days).
-
Session IDs are invalidated by both the client and server during log-out.
-
Require users to re-authenticate before performing critical web site operations.
-
Tying the session credential to the user’s specific IP addresses or partial IP range. Note: This may not be practical, particularly when Network Address Translation is in use.
-
It is generally best to use the session IDs generated by the JSP or ASP engine you are using. These engines have typically been scrutinized for security weaknesses, and they are not impervious to attacks; they do provide random, large session IDs. This is done in Java by using the Session object to maintain state, as shown here:
References
Insufficient Authorization
Insufficient Authorization Example
Apache Countermeasures for Insufficient Authentication
References
Insufficient Session Expiration
Insufficient Session Expiration Example
Apache Countermeasures Against Insufficient Session Expiration
-
Forcefully expire a session token after a predefined period of time that is appropriate. The time could range from 30 minutes for a banking application to a few hours for email applications. At the end of this period, the user must be required to re-authenticate.
-
Forcefully expire a session token after a predefined period of inactivity. If a session has not received any activity during a specific period, then the session should be ended. This value should be less than or equal to the period of time mentioned in the previous step. This limits the window of opportunity available to an attacker to guess token values.
-
Forcefully expire a session token when the user actuates the log-out function. The browser’s session cookies should be deleted and the user’s session object on the server should be destroyed (this removes all data associated with the session, it does not delete the user’s data). This prevents “back button” attacks and ensures that a user’s session is closed when explicitly requested.
-
Apache::TicketAccess
-
Apache::Session
-
CGI::Session
References
Session Fixation
Session Fixation Example
|
1.
|
Session set-up. The attacker sets up a “trap-session” for the target web site and obtains that session’s ID. Or, the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained (kept alive) with repeated web site contact.
|
|
2.
|
Session fixation. The attacker introduces the trap session value into the user’s browser and fixes the user’s session ID.
|
|
3.
|
Session entrance. The attacker waits until the user logs into the target web site. When the user does so, the fixed session ID value will be used and the attacker may take over.
|
Issuing a New Session ID CookieValue Using a Client-Side Script
Issuing a Cookie Using the META Tag
Issuing a Cookie Using an HTTP Response Header
-
Breaking into a web server in the domain (e.g., a poorly maintained WAP server).
-
Poisoning a user’s DNS server, effectively adding the attacker’s web server to the domain.
-
Setting up a malicious web server in the domain (e.g., on a workstation in Windows 2000 domain; all workstations are also in the DNS domain).
-
Exploiting an HTTP response splitting attack.
NOTEA long-term Session Fixation attack can be achieved by issuing a persistent cookie (e.g., expiring in 10 years), which will keep the session fixed even after the user restarts the computer, as shown here:
Code View: Scroll / Show All
http://example/
.idc
|
Apache Countermeasures for Session Fixation Attacks
-
Session set-up.
-
Session fixation.
-
Session entrance.
Session Set-Up
Session Fixation
Session Entrance
References
Information Disclosure
The Information Disclosure section covers attacks designed to acquire system-specific information about a website. This system-specific information includes the software distribution, version numbers, and patch levels, or the information may contain the location of backup files and temporary files. In most cases, divulging this information is not required to fulfill the needs of the user. Most websites will reveal some data, but it’s best to limit the amount of data whenever possible. The more information about the website an attacker learns, the easier the system becomes to compromise.
Directory Indexing
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present. When a user requests the main page of a website, he normally types in a URL such as http://www.example.com, using the domain name and excluding a specific file. The web server processes this request and searches the document root directory for the default filename and sends this page to the client. If this page is not present, the web server will issue a directory listing and send the output to the client. Essentially, this is equivalent to issuing a “ls” (Unix) or “dir” (Windows) command within this directory and showing the results in HTML form. From an attack and countermeasure perspective, it is important to realize that unintended directory listings may be possible due to software vulnerabilities (discussed next in the example section) combined with a specific web request.
When a web server reveals a directory’s contents, the listing could contain information not intended for public viewing. Often web administrators rely on “Security Through Obscurity,” assuming that if there are no hyperlinks to these documents, they will not be found, or no one will look for them. The assumption is incorrect. Today’s vulnerability scanners, such as Nikto, can dynamically add additional directories/files to include in their scan based upon data obtained in initial probes. By reviewing the /robots.txt file and/or viewing directory indexing contents, the vulnerability scanner can now interrogate the web server further with this new data. Although potentially harmless, directory indexing could allow an information leak that supplies an attacker with the information necessary to launch further attacks against the system.
Directory Indexing Example
The following information could be obtained based on directory indexing data:
-
Backup files—with extensions such as .bak, .old, or .orig.
-
Temporary files—these are files that are normally purged from the server but for some reason are still available.
-
Hidden files—with filenames that start with a “.” (period).
-
Naming conventions—an attacker may be able to identify the composition scheme used by the web site to name directories or files. Example: Admin versus admin, backup versus back-up, and so on.
-
Enumerate user accounts—personal user accounts on a web server often have home directories named after their user account.
-
Configuration file contents—these files may contain access control data and have extensions such as .conf, .cfg, or .config.
-
Script contents—Most web servers allow for executing scripts by either specifying a script location (e.g., /cgi-bin) or by configuring the server to try and execute files based on file permissions (e.g., the execute bit on *nix systems and the use of the Apache XBitHack directive). Due to these options, if directory indexing of cgi-bin contents are allowed, it is possible to download/review the script code if the permissions are incorrect.
There are three different scenarios where an attacker may be able to retrieve an unintended directory listing/index:
-
The web server is mistakenly configured to allow/provide a directory index. Confusion may arise of the net effect when a web administrator is configuring the indexing directives in the configuration file. It is possible to have an undesired result when implementing complex settings, such as wanting to allow directory indexing for a specific sub-directory, while disallowing it on the rest of the server. From the attacker’s perspective, the HTTP request is normal. They request a directory and see if they receive the desired content. They are not concerned with or care “why” the webserver was configured in this manner.
-
Some components of the web server allow a directory index even if it is disabled within the configuration file or if an index page is present. This is the only valid “exploit” example scenario for directory indexing. There have been numerous vulnerabilities identified on many web servers that will result in directory indexing if specific HTTP requests are sent.
-
Search engines’ cache databases may contain historical data that would include directory indexes from past scans of a specific web site.
Apache Countermeasures for Directory Indexing
First of all, if directory indexing is not required for some specific purpose, then it should be disabled in the Options directive, as outlined in Chapter 4 . If directory indexing is accidentally enabled, you can implement the following Mod_Security directive to catch this information in the output data stream. Figure 7.1 shows what a standard directory index web page looks like.
Figure 7.1. Standard directory index web page.
Web pages that are dynamically created by the directory indexing function will have a title that starts with “Index of /”. We can use this data as a signature and add the following Mod_Security directives to catch and deny this access to this data:
References
Directory Indexing Vulnerability Alerts www.securityfocus.com/bid/1063 www.securityfocus.com/bid/6721 www.securityfocus.com/bid/8898
Nessus “Remote File Access” Plugin web page http://cgi.nessus.org/plugins/dump.php3?family=Remote%20file%20access
Web Site Indexer Tools www.download-freeware-shareware.com/Internet.php?Theme=112
Search Engines as a Security Threat http://it.korea.ac.kr/class/2002/software/Reading%20List/Search%20Engines%20a%20a%20Security%20Threat.pdf
The Google Hacker’s Guide http://johnny.ihackstuff.com/security/premium/The_Google_Hackers_Guide_v1.0.pdf
Information Leakage
Information Leakage Example
Apache Countermeasures for Information Leakage
Preventing Verbose Error Messages
Preventing Comments in HTML
References
Path Traversal
Path Traversal Examples
Path Traversal Attacks Against a Web Server
Path Traversal Attacks Against a Web Application
Path Traversal Attacks Against a Web Application Using Special-Character Sequences
Apache Countermeasures for Path Traversal Attacks
References
Predictable Resource Location
Predictable Resource Location Examples
Blind Searches for Common Files and Directories
Adding Extensions to Existing Filename: (/test.asp)
Apache Countermeasures for Predictable Resource Location Attacks
Logical Attacks
Abuse of Functionality
Abuse of Functionality Examples
-
Using a web site’s search function to access restricted files outside of a web directory.
-
Subverting a file upload subsystem to replace critical internal configuration files.
-
Performing a DoS by flooding a web-login system with good usernames and bad passwords to lock out legitimate users when the allowed login retry limit is exceeded.
Matt Wright’s FormMail
Macromedia’s Cold Fusion
Smartwin CyberOffice Shopping Cart Price Modification
Apache Countermeasures for Abuse of Functionality
References
Denial of Service
DoS Example
-
DoS targeting a specific user. An intruder will repeatedly attempt to login to a web site as some user, purposely doing so with an invalid password. This process will eventually lock out the user.
-
DoS targeting the database server. An intruder will use SQL injection techniques to modify the database so that the system becomes unusable (e.g., deleting all data, deleting all usernames, and so forth).
-
DoS targeting the web server. An intruder will use Buffer Overflow techniques to send a specially crafted request that will crash the web server process, causing the system to be inaccessible to normal user activity.