Detailed explanation of Web server security attacks and protection mechanisms, and detailed explanation of web Server mechanisms
Web Server attacks often use Web server software and configuration vulnerabilities. The best practice for these vulnerabilities is to follow some methods to build and run Web servers. This article describes some methods to protect Web servers.
Web security is divided into two categories:
· Web Server Security (Web server security and software configuration ).
· Security of Web applications (security of Java, ActiveX, PHP, and ASP code running on Web servers ).
Web Server attacks
Web Server attacks take advantage of Common Vulnerabilities in Web server software and configuration. These vulnerabilities include:
· Buffer Overflow
· File directory traversal
· Script permission
· File directory browsing
· Sample code for default installation of Web server software
· Vulnerabilities in other software running on Web servers, such as SQL database software
Let's discuss appeal vulnerabilities in depth.
1. Buffer Overflow
Buffer overflow allows malicious code injection into applications, it damages the Application Stack-a place where the application code is stored in the memory-and replaces a part of the original code with different codes for the attacker's purpose, for example, running a Trojan Horse program or remotely controlling an application. The following is a simple sample code of the buffer overflow vulnerability, which is written in C language:
Char aTmp ;
Scanf ("% s", aTmp );
In the first line, the programmer declares an array aTmp with a length of 100. In the second row, the scanf method reads data from the console and saves the data to the aTmp array. The Code does not check whether the % s variable can accommodate the size of the input data. Because the programmer's encoding process does not check the size of the input string, if the given input exceeds 100 characters, it will cause a buffer overflow. A well-constructed input may contain assembly code, which can obtain the same operation permissions as the source program.
2. Directory Traversal
Directory Traversal refers to accessing a directory (or folder) that is not originally imagined or allowed ). For example, the default folder of the Microsoft IIS Web site is C: \ inetpub. Attackers can exploit the directory traversal vulnerability to read files they should not have accessed outside the folder. For details, if there is a website with the website www.bad.com, its server code contains the directory traversal vulnerability. Attackers can exploit this vulnerability by entering the following URL:
The ".../" in the URL tells the server to trace a directory, that is, the "C: \" Directory (the Web server can convert a slash to a backslash ). Therefore, if the default directory of the IIS server is "c: \ inetpub", the URL will be transferred to the "C: \" directory, and attackers will be able to see "c: \ autoexec. bat file. Unless the server is configured to avoid directory traversal, all directories may be accessible. In this case, the Web server displays the content of the "autoexec. bat" file, or any other file selected by the attacker.
It is worth noting that we have used IIS as an example. However, this vulnerability is not used for IIS servers, and directory traversal is also found on other Web servers.
3. script permission
To run Common Gateway interfaces (CGI), Perl, or other server applications, the Administrator must grant executable permissions to the directory where the server-side applications are located. Some administrators grant this permission to the wrong location (usually because they do not understand the problems caused by this ). Let's take a look at the following example to discuss what will happen if the administrator grants this permission to all directories under drive C.
First, we will crack this mysterious URL. Some characters such as spaces and slashes cannot appear in the URL, because the URL is a 7-bit ASCII code. However, these characters are still used in some cases. A feasible method is to use its hexadecimal characters or use base 16 encoding similar to ASCII. Base 16 uses letters a, B, c, d, e, and f to indicate numbers greater than 9. For example, the letter a represents the number 10 in hexadecimal notation, f Represents 15, and 10 represents the number 16. Therefore, in the previous example:
· The space is represented as 32 in decimal format using ASCII encoding, and 20 in hexadecimal format. Therefore, the space is changed to % 20.
· The slash (/) is represented as 47 in decimal format by ASCII encoding, and 2f in hexadecimal format. Therefore, it is changed to % 2f.
After being parsed by the Web server, it becomes the following URL:
Execute cmd.exe and tell it to execute the "dir" command. Cmd.exe "is located in" C: \ winnt \ system32"
Command shell in the folder. The "Dir" command lists all files in the current directory and returns the results to the user. Of course, this is just a simple example. attackers can execute more complex commands to delete, run, or modify data on the Web server.
Figure 1 shows a screenshot of IIS directory permission configuration. Or other built-in operating system commands.
Figure 1 IIS script permission console screen
The command is used by the website administrator. It is not a software that can assist the attacker, such as cmd.exe or other built-in operating system commands.
4. Directory Browsing
In general, directory browsing is disabled, but if it is enabled, it displays all files in the directory and subdirectories that can be browsed. Sometimes it is known that a file has vulnerabilities that can help attackers exploit files and programs on Web servers. Therefore, it is not recommended to enable directory browsing on the Web server.
5. default example
The default example is an application that is included in Web server software and installed by default during server software installation. Some default installation examples include security vulnerabilities. The best way to protect these vulnerabilities is not to install examples. If you have already installed them, you 'd better delete them.
6. Other services
Attackers can attack the Web server by attacking other services running on the Web server. These services include FTP, SMTP, POP3, SQL Server, and NetBIOS services. The best way to prevent such attacks is to reduce the "attacked surface ". Disable all unnecessary services running on the Web server operating system and configure the remaining services safely. The best practice is to make the Web server have only one Web Service Program, without other services. The running database and other software should be deployed on a separate server, so that the server is protected by the firewall, and only the Web server is vulnerable to Web attacks. If attackers try to use vulnerabilities of other services to attack the server, they can also interfere with or attack the Web site.
7. inherent vulnerabilities in Web server software
Every Web server software, including IIS and Apache, has provided built-in vulnerabilities to programmers due to lack of secure coding technology. For example, the. htr vulnerability in IIS allows attackers to view the content of files residing on the server. Major Web server software platform vulnerabilities are released almost every week.
Web Server Protection
The best practice for these vulnerabilities is to follow the suggestions below to build and run Web servers. Take the following measures to improve the security of Web servers.
· Configure the Web Server service or daemon with the minimum permissions to make it run normally. In this way, even if attackers control the Web server, they can only obtain the permissions of the user account corresponding to the software. In this way, other feasible software solutions to attack computers or networks are extremely limited.
· Install the latest security patches and keep abreast of the latest vulnerabilities.
· Delete the default example and Avoid installing similar examples.
· By deleting unnecessary applications and securely configuring other network services on the same computer, ensure that the operating system has installed the latest security patches to ensure the security of the computer hosting the Web server.
· Ensure that you only have the permission to run the script in a separate directory.
· Upload an index.html file to each directory on the Web server to avoid directory browsing.
Third-party security products
Commercial and free products can also help defend against different Web server-related vulnerabilities. There are mainly the following products:
· Software and hardware firewall
· Virus Defense Software
· ISAPI-based security products
· Security logs
· Feedback Analysis Software
· Intrusion Detection System and intrusion detection and defense system
· Vulnerability Scanning Software
· Input verification
Software and hardware firewalls.The firewall filters out traffic that does not belong to normal Web sessions. All Web servers should be equipped with a technology-advanced fourth-generation firewall. The fourth generation firewall can distinguish legitimate Web browser traffic from malicious attack traffic by attackers. Firewall software directly deployed on Web servers can provide additional protection for servers.
Web application firewall.Web Application Firewall (WAFs) is a device with the deep Web traffic check function. WAFs provides good protection for content-based attacks because it parses the actual content of the HTTP session and looks for known errors or abnormal behaviors that do not match the normal usage mode. These devices can effectively prevent most attacks.
Virus Defense software.Anti-virus software should be installed on the Web server. If attackers attempt to control Web servers by exploiting security vulnerabilities and the vulnerabilities are known, the virus defense software can detect and block them.
ISAPI-based security products. Such products intercept URL requests to filter out possible attacks, such as buffer overflow. Web server providers generally provide ISAPI-based security products for free.
Feedback analysis software.The feedback analysis software parses the response of the Web server and compares it with the response of a known normal website. If the website contains malicious code or is modified, the response does not match the original known normal response, so that unauthorized website changes can be detected.
Intrusion detection and defense.Intrusion Detection Systems (IDS) are generally used for post-intrusion processing because the system retains detailed records of events. The Intrusion Prevention System (IDP) can block some known bad behaviors.
Vulnerability scan software. The Administrator should run the vulnerability scanner to regularly test the security of the Web server, because if the scanner discovers a security vulnerability, the attacker may also find the same vulnerability. There are many free or commercial vulnerability scanning software. Some of them are Web-based, some are hardware programs, and the rest are pure software.
Enter verification.Enter the verification product to check whether there are exceptions, SQL Injection commands, or buffer overflow attack code in each data submitted to the Web site.
Security log.Security logs provide evidence of Web Server attack intrusion. In addition to storing them on Web servers, they should also store secure locations on the network to prevent attackers from changing logs or deleting records.