... HANDSON ETHICAL HACKING AND NETWORK DEFENSELesson 1 0Hacking Web ServersOBJECTIVESCollection InformationDescribe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Web servers23Hands-On Ethical Hacking and Network Defense4Hands-On Ethical Hacking and Network DefenseUNDERSTANDING WEB APPLICATIONSIt is nearly impossible to write a program without bugsSome bugs create security vulnerabilitiesWeb applications also have bugsWeb applications have a larger user base than standalone applicationsBugs are a bigger problem for Web applications5WEB APPLICATION COMPONENTSStatic Web pagesCreated using HTMLDynamic Web pagesNeed special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors6WEB FORMSUse the <form> element or tag in an HTML documentAllows customer to submit information to the Web serverWeb servers process information from a Web form by using a Web applicationEasy way for attackers to intercept data that users submit to a Web server7WEB FORMS (CONTINUED)Web form example<html><body><form>Enter ... HANDSON ETHICAL HACKING AND NETWORK DEFENSELesson 1 0Hacking Web ServersOBJECTIVESCollection InformationDescribe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Web servers23Hands-On ... name="password"></form></body></html>89COMMON GATEWAY INTERFACE (CGI)Handles moving data from a Web server to a Web browserThe majority of dynamic Web pages are created with CGI and scripting languagesDescribes how a Web server passes data to a Web browserRelies on Perl or another scripting language to create dynamic Web pagesCGI programs can be written in different programming and scripting languages10COMMON GATEWAY INTERFACE (CGI) (CONTINUED)CGI exampleWritten in PerlHello.plShould be placed in the cgibin directory on the Web server#!/usr/bin/perlprint "Content-type: text/html\n\n";print "Hello Security Testers!";11ACTIVE SERVER PAGES (ASP)With ASP, developers can display HTML documents to users on the flyMain difference from pure HTML pagesWhen a user requests a Web page, one is created at that timeASP uses scripting languages such as JScript or VBScriptNot all Web servers support ASP1213ACTIVE SERVER PAGES (ASP) (CONTINUED)ASP example<HTML><HEAD><TITLE>...