Analysis of Web security--analysis of basic architecture

Profiling is a strategy that is used to research and accurately describe the structure and application of Web sites, and is a very important but often overlooked direction of web intrusion.

Infrastructure support: Web servers, hardware/software, DNS projects, network devices, load balancers, and more.

First, Introduction

Second, the basic sign acquisition

Third, advanced HTTP fingerprint recognition

Iv. Basic Framework Intermediary

First, Introduction

1. Footstep method (footprinting)-use a variety of Internet-based research methodologies to determine the scope of the target application or organization. There are traditionally many tools and techniques for this task:

A. Research on internet registration

B.dns Inquiry

C. Overall organizational research

2. Basic infrastructure reconnaissance techniques, such as:

A. Server discovery (Ping scan)

B. Network Service identification (port scan)

3. TCP 80 that is known as Port HTTP and/or TCP 443 operation for HTTPS/SSL/TLS.

Tip: Do not neglect port scanning, and many Web applications are compromised through inappropriate services running on the Web server or other servers in the DMZ that are adjacent to the Web application server.

Second, the basic sign acquisition

The flag gets (Banner grabbing) that identifies the type and model (version)of the Web server software that is running.

[[email protected] netcat-0.7.1]#  NC 210.14.147.222 head/http/1.0HTTP/1.1 403nginx/1.6. 0Sep 13:58:34 gmtcontent -type:text/htmlcontent-length:168connection:close

Third, advanced HTTP fingerprint recognition

With advanced flag acquisition technology has been acquired to be able to determine the truly running Web server. To get a flag for HTTP called Web server fingerprinting (fingerprinting), he no longer simply focuses on the radical value, It also observes the overall performance of each Web server in each of the services and the uniqueness of its response. For example, the IIS server responds to invalid HTTP requests and may differ from Apache Web server. This is a good way to determine the types and models of Web servers that are actually running, and it is important to learn the nuances between Web servers. There are many other ways.

1. Unexpected HTTP method. Different Web servers react differently to different types of requests: (which has been marked in bold)

 Sun One Web Server  iis5.x$ nc sun.site.com                     $ $ NC iis5.site.com 80PUT/http/1.0 put/http/1.0Host:sun.site.com Host:iis5.site.comHTTP /1.1 401 Unauthorized              　  http/1.1 403 ForbiddenServer:sun-one-web-server/6.1 server:microsoft-iis/5.1 IIS 6.0                                  Apache 2.0 . x$ NC iis6.site.com$NC apache.site.com 80PUT/http/1.0 put/http/1.0Host:iist6.site.com Host:apache.site.comHTTP /1.1 411 Length Required 　　　　　　　  http/1.1 405 Method not allowedServer:microsoft-iis/6.0 server:apache/2.0.54Content-type:text/html

2. Server Header exception

For example: In Apache 2.x, Date: Radicals are at the top, and above the server: header, as follows:

http/1.1 OK
Cache-control:private, Max-age=0, No-cache
content-length:43
Content-type:image/gif
Date:sun, Sep 14:20:01 GMT
Pragma:no-cache
Server:apache
X-content-type-options:nosniff

Another example: in Nginx, the Server: radicals in the front, on the date: radicals.

http/1.1 304 not Modifiedserver:nginxdate:sun, Sep 14:20:00 GMTconnection:keep-alivelast-mod Ified:tue, 02:01:10 gmtetag: "50986f66-2d1a" Expires:sun, Sep 14:35:01 gmtcache-control:max-age=900

For example, on Sun One, the Server: and Date: Headers are in the same order as IIS 5.1, but note that in content-length, "Length" is lowercase. Content-type: The same, and in IIS5.1, the Capitals begin with capital:

http/1.1 okserver:sun-one-web-server/6.1date:mon,22 2005 20:33:36 gmtcontent-length: 2628content- type: text/htmllast-modified:tue,01 APR 2003 20:47:57 Gmtaccept-ranges:bytesconnection:close

3.Httprint Tools

A.net-square's Httprint tool. Comes with a customizable Web server signature database.

B.shodan, a search engine, searches for computers that have an impact on information security (routing, servers, etc.), and most areas of the Internet have been indexed for Shodan, which can be easily identified,

All IIS servers in the. gov domain.

All of the Apache servers in Switzerland.

IP address of all systems with a known vulnerability to a specific Web server platform

Iv. Basic Framework Intermediary

Includes, load balancer, virtual server configuration, proxy, and Web application firewall.

A. virtual server . A server that is running multiple virtual IPs on a single machine.

B. detecting load balancers is generally not visible, and many attackers ignore them when evaluating them, but the load balancer can dramatically change the way the evaluations are evaluated. The balancer is used to ensure that requests from a single server are not overloaded and used to split traffic.

C. For port scanning of neighboring IP ranges , an easy way to identify a load balancer is to first identify the recognized server IP address and then write a script to make a request for the surrounding IP range. If you get multiple responses that are almost identical, This may be the same Web server as the load balancer. Occasionally, you may encounter one or several servers that are different from others. If the software version is outdated, or alternative ssh and FTP, these exceptions may be some kind of service security Configuration error, can be a separate attack against the IP address.

D. Timestamp analysis , one way to detect a load balancer is to analyze the response timestamp because many servers do not have synchronization time and can determine if there are multiple servers by making multiple requests within one second.

E.differences in ETag and last-modified : Determine whether different files are obtained from multiple servers by comparing the ETag and last-modified values in the header response of the same request resource.

ETag: "20095-2de2-3fdf365353cc0" ETag: "6ac117-2c5e-3eb9ddfaa3a40" Last_modified:sun, Dec 2004 20:30:25 GMTLast_ Modified:sun, Dec 2004 20:31:12 GMT

The difference in the timestamp above indicates that the server did not replicate immediately and the requested resource was copied to the other server after approximately 1 minutes.

F. load Balancer cookie: Some proxy servers and load balancers add their own cookies in an HTTP session so that they can remain in a better state.

eg:aa002=1131030950-54332355234/12343234

Search AA002 is a tracking cookie that says "Avenue A"

G. Enumerate SSL Exceptions: see if there is a difference in the SSL certificate for the Web site, or whether the SSL certificate supports the same password length.

H. Check HTML Source: Multiple requests for the same page may return different HTML code comments.

I. Detection Agent:

Irace Request: Trace requests that the Web server reply to the requested content that was just received. In http/ 1.1 As a debugging tool. The proxy server modifies the request and sends it to the Web server, and the proxy server then returns the received request. This will enable the proxy server to change the request. Eg:

"Via:", "X-forwarded-for:", "Proxy-connection:" via:1.1 192.168.1.5

The reverse proxy is a front-end proxy that routes inbound requests from the Internet to back-end servers, two of which are modified by: (1) The remap URL points to the appropriate URL on the internal server. For example, Trace/index.aspx http/1.1 might instead trace/site1/folder/index.asp http/1.1 (2) Reverse proxy Modify Host: header points to the relevant internal server to forward the request.

J. Standard Connection test:The Connect command is used primarily for proxy server proxy SSL connections. The agent establishes an SSL connection on behalf of the client, for example: Connect https://secure.site.com:443, The proxy server will be notified to establish an SSL connection to the secure.site.com 443 port. But this life could be abused to connect to servers inside the network.

*request*connect remote-webserver:80 http/1.0user-agent:mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36host:remote-webserver*successful response*http/1.1 Connection established

A good technique that is available is to identify the target's internal IP address range and then perform a port scan on a range of users.

K. Detecting a Web application firewall: can be viewed as a Web application Intrusion Prevention System (IPS)

If you are always kicked out of the test or timed out when sending an attack request, it is likely that there is an application firewall between you and the app. Another sign is that the same type of error is always returned.

Some common Web application firewalls and some very simple methods of detection

Teros: The firewall will respond to the following error for a simple trace request or any invalid HTTP request:

trace/http/1.0host:www.site.comuser-agent:mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36http/1.0 500content-type:text/html 
Another way to detect Teros is to locate the cookie it sends. Like THIS:ST8ID=1AEAADF13ASDF243SD233435K33C3S.00.D4512AD323342SDF) In most cases, the value of the cookie will have a similar character set and length.
"F5 Trafficshield:
Send a Put method with no data. The following error will appear:
put/http/1.0host:www.site.comuser-agent:mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) http/1.0 Requestcontent-type:text/html
The Trafficshield also has a dedicated standard cookie:asinfo
"Netcontinuum:
The firewall's cookie is Nci_sessionid. And the device responds to a 404 error for all invalid requests.
"URLScan:
This is a free ISAPI filter that provides a number of flexible tools for controlling HTTP requests. Such products do not provide dynamic protection, but instead rely on lengthy feature code profiles or allow length file configurations to block attacks.
By default, if you send a path that is longer than 260 characters, URLScan will respond with a 404 error. But if any of the following radicals are in the field, URLScan will reject the request:
Translate:
IF:
Lock-token:
Transfer-encoding:
The above radicals will cause URLScan to return 404 errors.
"Secureiis:
Secureiis is similar to the enhanced version of URLScan-it is an expanded commercial version that adds a nice GUI and some excellent features. By default, a reject response is returned as a 406 error code.
One of them is to limit the length of any radical value to 1024 characters, so just set the radical above this limit to see if the request is rejected.
Back to Top
Analysis of Web security--analysis of basic architecture