12.1 Hacking web servers - Introduction

Thanks! Share it with your friends!

URL

You disliked this video. Thanks for the feedback!

Sorry, only registred users can create playlists.
URL


Added by Admin in
7 Views

Description

Hacking Web Servers – introduction
A web server is a computer system that processes requests via Hypertext Transfer Protocol (HTTP), to distribute information on the World Wide Web (WWW).
• The primary function of a web server is to store, process and deliver web pages to clients. The communication between client and server takes place using the HTTP.
• Pages delivered are HTML documents, which may include images, style sheets and scripts in addition to text content and dynamic database content.
Web server hacking
Attackers exploit vulnerabilities in the web servers and take control of them. Attack vectors are mostly:
• Default settings
• Mis-configuration
• Bugs in Web servers- known OR unknown
• Weak security policies
Web Server types
Latest statistics of the market share of all sites of the top web servers on the Internet.
Apache has nearly half the market share and top 3 out of ~40 web servers have a share of 94.6%.
https://w3techs.com/technologies/overview/web_server/all
Latest statistics of the market share of all sites of the top web servers on the Internet.
--This diagram shows the percentages of websites using various web servers.
Apache is used by 47.8% of all the websites, followed by Nginx and
Apache 47.8%
Nginx 36.4%
Microsoft-IIS 10.4%
LiteSpeed 3.1%
Google Servers 1.0%
Tomcat 0.5%
Node.js
0.3%Apache Traffic Server
0.3%IdeaWebServer
0.3%Tengine
0.2%Cowboy
0.1%Lighttpd 0.1%
The following web servers are used by less than 0.1% of the websites
Oracle Servers
IBM Servers
Zope
Gunicorn
Kestrel
Kangle
Jetty
WEBrick
Caddy
Thin
Hiawatha
Resin
Zeus
Tornado
Cherokee
Mongrel
Paste WSGI HTTP Server
H2O
Roxen
AOLserver
Waitress
CherryPy
thttpd
IceWarp
KomHttpServer
Abyss
Twisted
NaviServer
SAP J2EE Engine
WebSTAR
WebToB
Yaws
Jexus
RaidenHTTPD
G-WAN
AllegroServe
nxweb
Monkey
Orion
BaseHTTPServer
Xitami
Barracuda Server
CouchDB
FAPWS
Hunchentoot
Virtuoso
WebHare
Blazix
Gatling
Misultin
Noelios Restlet Engine
Ada Web Server
Caudium
Comanche
KeyFocus
Lwan
Mathopd
Mongrel2
Swazoo
Trifork
Wildcat
Yahoo Traffic Server
Types of attacks
• Directory traversal attacks
• DoS attacks
• DNS hijacking
• Sniffing
• Phishing
• Pharming
• Defacement
• Etc.
Motive
• Damage reputation of and organization
• Monetary gains
• Stolen data used for fraud activities
• Tampering
• Launch secondary attacks
Tools
• Metasploit
• Mpack
• Zeus
• Neosplit
• HTTPRecon - Advanced web server fingerprinting
• ID Serve
• Wfetch
Main threats to web server
• Scanning / Enumeration
• Denial of service attacks
• Unauthorized access
• Malicious code execution
• Privileges
• Malware (Viruses, Worms and Trojan horses)
Countermeasures
• Patch management
• Harden OS
• Harden Web server
• Firewalls
• Anti virus, Anti malware software
• Disable remote admin access
• Remove default accounts and unused accounts
• Default ports and settings must be secured
Sofware bugs
It’s impossible to write a software program without bugs. What ever testing is done there may be some unexplored bugs that may surface at later time and those need to be addressed when discovered.
OS, Web Server and Web applications are all softwares and may contain bugs that are prone for attacks.
http live headers

Post your comment

RSS