Web Security Practices (3) Analysis of http-based server architecture

Author: Xuan soul 

Prerequisites: http protocol, proxy server, and web Firewall

This series navigation http://www.cnblogs.com/xuanhun/archive/2008/10/25/1319523.html

Security Technology Zone http://space.cnblogs.com/group/group_detail.aspx? Gid = 100566

Preface

The web security practice series focuses on the practical research and some programming implementation of the content of hacker exposure-web Application Security secrets and solutions (version 2. So if you fully understand this book, you can skip this article.

In addition, I need more people like me to participate in this job.

It's better to talk nonsense. Let's get into the question of today.

 

Body

I was too tired to write the rest of the content yesterday. I will continue today. The main content is proxy and firewall detection.

3.1 detection proxy

If the proxy server acts as a Web server, the external network can simply treat it as a standard Web server without specific configuration. The difference is that this server does not store the real data of any Web pages, and all static Web pages or CGI programs are stored on internal Web servers. Therefore, the attack on the reverse proxy server does not damage the webpage information, which enhances the security of the Web server. Our main purpose is to check whether the target server responds to the request through the proxy server to avoid losing the target server.

(1) trace request. When we send a trace request like a web server, the server will display the received request. Under normal circumstances, the returned request should be the one we send. However, if our request first reaches a proxy server and then the real Web server receives the request, it should be a proxy server request, that is, the returned information should also be the request information of the proxy server rather than the initial request. This is a bit confusing. Let's take a look at the actual example below. However, because some servers have cross-site vulnerabilities in processing trace requests, many websites do not support TRACE requests.

HTTP/1.1 405 method not allowed

Date: Sun, 26 Oct 2008 09:03:50 GMT

Server: Microsoft-Microsoft IIS/6.0

X-powered-by: ASP. NET

X-ASPnet-version: 2.0.50727

Cache-control: Private

Content-Type: text/html; charset = UTF-8

Content-Length: 3432

.....

<Title> path 'track' is forbidden. </title>

 

During the test, I also found that some websites support TRACE requests but do not return request information, which may be ignored or error-tolerant.

The following shows a normal response.

Trace, HTTP, 1.0

HOST: www.xuanhun.com

HTTP/1.1 200 OK

Date: sat, 20 Oct 2007 20:39:36 GMT

Server: Apache/2.2.6 (Debian)

PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6 (2007-06-07)

Connection: Close

Content-Type: Message/HTTP

Trace, HTTP, 1.0

HOST: www.xuanhun.com

 

If we access a proxy, the following two situations may occur:

Fixed headers added to the Proxy Server

For example, "via:" X-forwarded-for: "," proxy-connection :"

Or change the Host header.

Trace, HTTP, 1.0

HOST: www.xuanhun.com

HTTP/1.1 200 OK

Date: sat, 20 Oct 2007 20:39:36 GMT

Server: Apache/2.2.6 (Debian)

PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6 (2007-06-07)

Connection: Close

Content-Type: Message/HTTP

Trace, HTTP, 1.0

HOST: www.xuanhun1.com

(2) connect standard test.

In general, the HTTP Proxy Service supports the http connect method, which can be used to establish a TCP connection to bypass the general application layer function. Generally, the http connect method is used to establish an HTTPS connection through the HTTP proxy.

The method of using the connect test is to send a connect to a known site, and observe the response information to determine whether it is from the agent.

3.2 detection Firewall

(1) continuous connection with intrusion features.

If a firewall exists, it will reject your connection. Intrusion scanning for servers is generally rejected by the firewall. In fact, we are certain that almost all formal websites will have firewalls. We are faced with the problem of what type of firewall the other party uses rather than the useless firewall.

(2) Firewall type diagnosis.

In fact, this is also a statistical problem like http fingerprint research. The thought should be to send various types of illegal requests to the server, determine whether the firewall responds, and what are the characteristics of the response. In the summary process, this is the person who has the opportunity to access the firewall configuration. The Research on this work is not yet perfect. My conditions do not allow me to do this experiment. I still hope to hear from more people.

 

Observation:

Response Information

TerosThe Web application firewall technology will make a 500 response to the trace request, prompting: Invalid method code. F5TrafficshieldThe system Returns Error 400 with The prompt: The Server cocould not andrestand your request. Your error ID is:

NetcontinuumThe Error 404 is returned for any illegal request.

SecureiisThe error 406 is returned.

Special cookies

TerosUse the same name-st8id for each response.

TrafficshieldThe cookie name is ASINFO.

Special errors

URLScanIf you receive a request whose Path length is greater than 260 characters, the system returns the 404 error. if you add headers such as ranslate, if, Lock-Token, and Transfer-Encoding to the request, the request is rejected.

The default header length of secureiis is 1024 characters.

 

3.3web server write permission probing

To check whether a directory has write permission for a web user, use the following method: telnet to the web port (80) of the server and send the following request:
PUT/dir/1. txt HTTP/1.1
Host:
Content-Length: 10
At this time, the server will return a 100 (CONTINUE) message:
HTTP/1.1 100 Continue
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
Then, we enter 10 letters:
AAAAAAAAAA
After sending this request, check the server's returned information. If the request is a 201 Created response:
HTTP/1.1 201 Created
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http: // iis-server/dir/my_file.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,
PROPPATCH, SEARCH, LOCK, UNLOCK
This indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If a directory has both "write" and "script and executable program" enabled, web users can upload a program and execute it.

 

 

Today, I did a day's experiment and found that this part of knowledge is not mature in general and is yet to be developed. In fact, this is a contradiction, and the mature technology poses a great threat to existing websites. But from a technical point of view, I hope to get help from relevant experts.

Tomorrow's content should be a simple HTTP Programming Practice as planned.