Vulnerable CGI Scripts • Chapter 4 161 Summary CGI programs can be a great benefit or a great burden, depending on whether you’ve protected yourself against possible vulnerabilities that can be used to hack your site.We saw in this chapter that CGI programs and scripts run on the server side, and act as a middleman between the Web server and an external application.They are used on numerous sites on the Web, and for a variety of purposes. In terms of e-commerce sites, they are essential to the method in which business is conducted, and many sites cannot function without them. Break-ins resulting from weak CGI scripts can occur in a variety of ways.This may be through gaining access to the source code of the script and finding vulnerabilities contained in them, or by viewing infor- mation showing directory structure, usernames, and/or passwords. By manipulating these scripts, a hacker can modify or view sensitive data, or even shut down a server so that users are unable to use the site. In most cases, the cause of a poor CGI script can be traced back to the person who wrote the program. However, by following good coding practices and avoiding common problems, you can avoid such problems, and you will be able to use CGI programs without compromising the security of your site. Solutions Fast Track What Is a CGI Script, and What Does It Do? ; CGI is used by Web servers to connect to external applications. It provides a way for data to be passed back and forth between the visitor to a site and a program residing on the Web server. CGI isn’t the program itself, but the medium used to exchange information between the Web server and the Internet applica- tion or script. www.syngress.com 137_hackapps_04 6/19/01 3:34 PM Page 161 162 Chapter 4 • Vulnerable CGI Scripts ; CGI uses server-side scripting and programs. Code is executed on the server, so it doesn’t matter what type of browser the user is using when visiting your site. ; Uses for CGI are found at sites such as eBay and e-commerce sites that may use more complex CGI scripts and programs for making transactions; guest books, chatrooms, and comment or feedback forms are another common use for CGI programs. ; CGI should be used when you want to provide a dynamic, interactive Web page, and need to take advantage of the Web server’s functions and abilities.They are an excellent means to searching and storing information in a database, processing forms, or using information that is available on the server and cannot be accessed through other methods. However, you should consider using CGI programs when interaction with the user will be limited. ; Many ISPs don’t provide CGI support, as poorly written scripts and programs are a security risk, and may jeopardize the secu- rity of that site and others hosted on their Web server. Break-Ins Resulting from Weak CGI Scripts ; One of the most common methods of hacking a Web site is to find and use poorly written CGI scripts. Using a CGI script, you may be able to acquire information about a site, access directo- ries and files you wouldn’t normally be able to see or download, and perform various other unwanted and unexpected actions. ; It is important that you ensure that the form used to collect data from users is compatible with the CGI script. ; Your code should analyze the data it is receiving, and provide error-handling code to deal with problems. Error handling deals with improper or unexpected data that’s passed to the CGI script. It allows you to return messages informing the user that certain fields haven’t been filled out, or to ignore certain data. www.syngress.com 137_hackapps_04 6/19/01 3:34 PM Page 162 Vulnerable CGI Scripts • Chapter 4 163 ; Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, con- trol ownership of a CGI process, and allow users to run the scripts without compromising your Web server’s security. Languages for Writing CGI Scripts ; A compiled CGI program would be written in a language like C, C++, or Visual Basic.With this type of program, the source code must first be run through a compiler program.The com- piler converts the source code into machine language that the computer on which the program is run can understand. Once compiled, the program then has the ability to be executed. ; An interpreted language combines compilation and execution. When a user requests a script’s functionality, it is run through a program called an interpreter, which compiles it and executes it. For example, when you run a Perl script, it is compiled every time the program is executed. ; One issue with Unix shell programs is that you are more lim- ited in controlling user input and other security issues than in other languages. ; Perl has become a common method of creating CGI scripts. While a good choice for new programmers, it should not be mistaken as being a poor choice for complex programs. One problem with Perl is that, because it is interpreted, it is compiled and executed as one step each time the program is called. For this reason, there is greater possibility that bad data submitted by a user will be included as part of the code. ; C or C++ are another option.A common problem that occurs when Internet programs are created with C or C++ is buffer overflows. A way to avoid this problem is to use the MAXSIZE attribute for any fields used on a form.This will limit the amount of data a user can enter through normal means. www.syngress.com 137_hackapps_04 6/19/01 3:34 PM Page 163 164 Chapter 4 • Vulnerable CGI Scripts Advantages of Using CGI Scripts ; CGI is beneficial because all code is run on the server. JavaScript, ActiveX components, Java applets, and other client- side scripts and programs all run on the user’s computer.This makes it possible for adept hackers to make use of this informa- tion and attack your site. ; With CGI, you can protect yourself by controlling permissions to various directories, hiding code within compiled programs, and other methods. Rules for Writing Secure CGI Scripts ; Limit user interaction. ; Don’t trust input from users. ; Don’t use GET to send sensitive data. ; Never include sensitive information in a script. ; Never give more access than is absolutely necessary. ; Program on a computer other than the Web server, and ensure that temporary files and backup files of your scripts are removed from the server before your site goes live. ; Double-check the source code of any third-party CGI programs. ; Test your CGI script or program. www.syngress.com 137_hackapps_04 6/19/01 3:34 PM Page 164 Vulnerable CGI Scripts • Chapter 4 165 Q: Which is the best language for writing CGI scripts/programs? A: There is no one “best” language for writing CGI scripts and pro- grams, although programmers who use a specific language will argue this. Shell scripts are generally used for small programs where secu- rity isn’t an issue, while larger, more complex programs will use lan- guages such as C, C++, or Visual Basic.The most common language for writing CGI scripts is Perl. Q: When I’m writing my CGI program, do I need to worry about the type of browser a user is using to visit my site? A: Generally, no. CGI programs run on the server side, so no code actu- ally runs on the client’s computer. Because the CGI program runs on the server, it won’t matter what type of browser a user is running. Q: I only know older programming languages, and don’t know Perl, C, C++, or Visual Basic. I don’t have the time to learn new languages. What can I do? A: Any programming language that can work with CGI can be used to create CGI programs. For example, if your Web server ran on a Unix system, then any application that uses standard input and standard output could be used to create a CGI program. Q: Can I use client-side and server-side scripting for my Web site, or am I limited to one or the other? www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 137_hackapps_04 6/19/01 3:34 PM Page 165 166 Chapter 4 • Vulnerable CGI Scripts A: Client-side and server-side scripting can both be used on a site. In fact, you can use client-side and server-side scripting together for your program.There are a number of JavaScripts that check data before it is submitted to a CGI program. However, it is best if your CGI program checks the data it receives for security reasons. In addi- tion, Java applets or ActiveX components can be used as a user inter- face, and pass the data to the Web server for processing by your CGI program. Q: My company doesn’t run its own Web server and uses an Internet service provider.The ISP doesn’t allow CGI scripts.What can I do? A: If your ISP is firmly opposed to its customers running their own scripts, then you have few options. Many ISPs don’t allow CGI pro- grams, because security holes in them can impact the sites belonging to their other customers.You can move your site to another ISP, or get your own Web server. www.syngress.com 137_hackapps_04 6/19/01 3:34 PM Page 166 Hacking Techniques and Tools Solutions in this chapter: ■ A Hacker’s Goals ■ The Five Phases of Hacking ■ Social Engineering ■ The Intentional “Back Door” Attack ■ Exploiting Inherent Weaknesses in Code or Programming Environments ■ The Tools of the Trade ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 5 167 137_hackapps_05 6/19/01 3:35 PM Page 167 168 Chapter 5 • Hacking Techniques and Tools Introduction Hackers could be best described as “super coders.” Like those in any other profession, hackers have distinct methodologies and processes that they follow prior to any given attack. Hackers set goals, unite, and work to achieve their goals both individually and as a team effort.There are five distinct phases to hacking that we cover within this chapter. After an intruder has selected his victim, an attack map must be cre- ated.This attack map will aid the hacker in understanding exactly (or as close to exactly as that hacker actually needs to be) how his victim’s net- works, systems, and applications interoperate.After this attack map has been established, the intruder will then assemble an execution plan.The execution plan will assist the hacker in discovering vulnerabilities within the victim’s system, allowing for the most success in the intrusion attempt. It is at this point that the hacker will most likely do as much research as is needed, using common defect- and vulnerability-tracking databases. As you can imagine, every little bit helps a hacker when it comes to knowing his victim’s potential weaknesses. Knowing that hackers are searching for common vulnerabilities in every aspect possible means that as a developer, or even a network administrator, we should be using every tool possible to protect the work we do. Chances are good that the code you are writing is the same code that hackers may have once written themselves and are now hacking. That is part of what makes them so good at what they do; they have done your job and may still be.Another thing that makes hackers so good is the amount of research that they do prior to attacking a Web site. Hackers educate themselves to stay current with the latest changes in technology, with the newest languages that code is being written in, and with any vulnerability—theoretical or actual—that may have been reported. Hackers are never far behind you when you are programming. After hackers have completed the research necessary to begin a suc- cessful attack, they begin to determine what the best point of entry will be for the attack.The point of entry is a very important decision to make, because the intruder does not want to take the most obvious path in— because that may be an intentional back door that was set up as a trap. www.syngress.com 137_hackapps_05 6/19/01 3:35 PM Page 168 www.syngress.com Using an obvious point of entry could also mean that that hacker may be more likely to bump into other hackers. After the point of entry has been established, the hacker will begin to work on the plan to gain continued and deeper access into the system. Hackers, being somewhat territorial, tend to want to cover their tracks, not just to prevent detection, but to better their chances that they will be able to return at a later point. To do all of these tasks, hackers give themselves a distinct advantage with the tools that are readily available to them.These tools are advanced and provide a significant aid in the intrusion process. Hex Editors and Debuggers are just two samples of tools that a hacker may use.The good news is that developers have access to these same tools, and when applied to code prior to moving that code to a production environment, they may prevent many malicious attacks. Hackers will generally need these tools (and more) to complete the final phase of a typical attack plan: damage. Let’s be realistic, the ultimate goal is to per- petuate their unauthorized access as much as possible, even to the point of total data destruction. This chapter walks you through the tools and techniques that hackers use to hedge their bets a bit. In addition to the five phases of an attack, we will also discuss goals of hackers and the tools they use to accomplish those goals.This chapter will help to give developers a much needed edge in the way a hacker works. Oftentimes the very tools that we use to make our work more secure are the same tools that they are using to exploit our networks and code. Hopefully after this chapter is complete, we will be able to turn the tables back in our favor. Under- standing a hacker’s goals should be a good start to turning those tables. A Hacker’s Goals Historically, a common perception existed of the intruder as one who sits at a terminal for hours, manually entering password after password at a terminal, occasionally taking a pencil from between his teeth to cross out one more failed attack plan on a sheet of paper.This stereotype has since yielded to a more Hollywood-style scenario that casts the intruder as a techno-goth sitting in a basement, surrounded by otherwise outdated Hacking Techniques and Tools • Chapter 5 169 137_hackapps_05 6/19/01 3:35 PM Page 169 170 Chapter 5 • Hacking Techniques and Tools www.syngress.com equipment that can nevertheless be utilized to penetrate the strongholds of commerce and government alike.The skills of the intruder are touted as nothing less than legendary: no matter what hardware he’s using or the difficulty of the challenge before him, he will somehow magically slice through the most ardent defenses the way a hot knife cuts through butter. In the real world, the actual intruder’s skills lie somewhere between these antiquated and contemporary stereotypes. It’s been said that sufficiently advanced technologies and techniques are indistinguishable from magic.To many, the contemporary hacker seems unstoppable: through skilled use of many and varied technologies, he can minimize the warning signs of his presence, maximize his access, and severely compromise the integrity of a target system. Our goal here is to delineate the tactics and techniques utilized by intruders, thus revealing that the “magic” of the intruder is typically little more than electronic sleight of hand. Minimize the Warning Signs The Hollywood-fashioned hacker that continually assaults a system login would not last an hour in the midst of contemporary firewalls and Intrusion Detection Systems (IDSs).Today’s intruder is armed with an arsenal of far more sophisticated tools, which enable him to carry out more automated and intelligently planned attacks. Anyone who’s been a victim of an intruder’s attack often comes away from the incident wondering why her system was chosen.The reasons are great in number.The intruder may simply be curious about a given site’s products and services and wanted to get all the information he possibly could.The intruder may have had a personal grudge against one of the network’s users or employees. In some cases, the attacked domain could be a high-profile site, which would afford the intruder a certain amount of “bragging rights” if successfully penetrated. Incredibly, there are even some intruders who admit outright that they were “bored” and the victim system was simply ripe for the taking.Whatever the motivation, one can rest assured that somehow, somewhere, someone is likely scoping out his network to assess a plan of attack at any given time. 137_hackapps_05 6/19/01 3:35 PM Page 170 [...]... Personnel From: Security Tiger Team Subject: Mandatory password change Effective immediately, all personnel are directed to change their login passwords Please click on the following link www.yourcomany.com@ 349 2 141 032/ 543 21/ You will need to enter your current password and then select a new password Thank you for your cooperation Sincerely,... Microsoft-IIS /4. 0 Date: Fri, 16 Feb 2001 18 :45 :23 GMT Content-Length: 526 Content-Type: text/html Connection closed by foreign host www.syngress.com 181 137 _hackapps_ 05 182 6/19/01 3:35 PM Page 182 Chapter 5 • Hacking Techniques and Tools From the response the server provided, we now know that this system’s OS is Microsoft NT and the Web server is Microsoft’s Internet Information Server version 4. 0.This... Web. To locate information on the site and its product, we will use Google (www.google.com), using a simple search as shown in Figure 5.1 Figure 5.1 Results from a Web Search for “Treachery Unlimited” and “WhiffRead” www.syngress.com 179 137 _hackapps_ 05 180 6/19/01 3:35 PM Page 180 Chapter 5 • Hacking Techniques and Tools From the results provided by the search engine, we now know that the company Web. .. among the most popular dates on which intrusion attempts occur Friday afternoons, in general, are popular too www.syngress.com 173 137 _hackapps_ 05 1 74 6/19/01 3:35 PM Page 1 74 Chapter 5 • Hacking Techniques and Tools Perhaps the most well-documented holiday attack was the 19 94 Christmas Day intrusion of Tsutomu Shimomura’s system in San Diego, California Around 2:00 PM that day, while staff was at a minimum... price of genuine security www.syngress.com 187 137 _hackapps_ 05 188 6/19/01 3:35 PM Page 188 Chapter 5 • Hacking Techniques and Tools Social Engineering One signature logo for one of the most popular hacker conventions, DefCon (www.defcon.org), bears three simple icons: a computer disk to represent computer hacking; a phone rotary dial to represent phone hacking, also known as phreaking; and a smiling... Tools & Traps… Nessus The only true way to defend your system is to look at it through the eyes of your enemy: the intruder A number of automated utilities can probe your networks to look for common exposures and vulnerabilities One of the foremost freeware tools is a package called Nessus Continued www.syngress.com 137 _hackapps_ 05 6/19/01 3:35 PM Page 175 Hacking Techniques and Tools • Chapter 5 Nessus... acquired only through the www.syngress.com 193 137 _hackapps_ 05 1 94 6/19/01 3:35 PM Page 1 94 Chapter 5 • Hacking Techniques and Tools more brazen approach: an in-the-flesh visit In this instance, the attack is committed almost entirely by practiced con artists whose ability at pulling off a charade borders on professionalism.This is perhaps the only instance in hackerdom in which one’s physical appearance... (http://packetstorm securify.com) In reviewing each of these sites, one can readily find a number of attacks against Microsoft NT and its IIS Web server At last count, nearly www.syngress.com 137 _hackapps_ 05 6/19/01 3:35 PM Page 183 Hacking Techniques and Tools • Chapter 5 40 0 such exploits have occurred dating back to 1995 Many of these attacks on the OS and services apart from IIS can be quickly dismissed... Internet these days are rarely up to date on patchlevels, it is unusual that even a three-layer attack plan is exhausted before an actual penetration occurs www.syngress.com 183 137 _hackapps_ 05 1 84 6/19/01 3:35 PM Page 1 84 Chapter 5 • Hacking Techniques and Tools Upon deciding the primary, secondary, and tertiary methods of attack, the plan can go into action In this instance, the Unicode exploit will be attempted... from being exploited by outside parties As described in Chapter 1, many kinds of hackers are out there, and many of them are professionals or white hat hackers who do not hack for their own gain The use of hacker tools is often seen as unsavory by the typical manager.They view any use of such tools as tacit legitimization of hackerbased tactics and strategies.To this, one can counter that the use of such . can move your site to another ISP, or get your own Web server. www.syngress.com 137 _hackapps_ 04 6/19/01 3: 34 PM Page 166 Hacking Techniques and Tools Solutions in this chapter: ■ A Hacker’s. any third-party CGI programs. ; Test your CGI script or program. www.syngress.com 137 _hackapps_ 04 6/19/01 3: 34 PM Page 1 64 Vulnerable CGI Scripts • Chapter 4 165 Q: Which is the best language. the amount of data a user can enter through normal means. www.syngress.com 137 _hackapps_ 04 6/19/01 3: 34 PM Page 163 1 64 Chapter 4 • Vulnerable CGI Scripts Advantages of Using CGI Scripts ; CGI is beneficial