Web security practices (7) Introduction to web servers and common attack software

Web security practices (7) Introduction to web servers and common attack software

Through the previous discussion, we have learned how to determine the type of web server. From this section, we will discuss web platform vulnerability attacks. The defect mentioned here is the defect of the server itself, not the defect caused by the Administrator's configuration. This defect can only be avoided by upgrading or patching. Of course, for different servers and existing vulnerabilities, All I listed in this section are past tense and there should be a solution. The purpose is not to teach you how to attack a web platform, but to understand what it is to attack a web platform.

Body

7.1 Introduction to common web Servers

(1) Apache

Apache is the world's No. 1 Web server software. It can run on almost all widely used computer platforms.

Apache originated from the NCSAhttpd server and has been modified many times to become one of the most popular Web server software in the world. Apache is taken from the pronunciation of "a patchy server", which means a server full of patches, because it is a free software, so there are people who constantly develop new functions, new features, and modify the original defects for it. Apache is simple, fast, and stable, and can be used as a proxy server.

(2) IIS

Internet Information Server. It is a Server promoted by Microsoft. The latest version is IIS 7 included in Windows2008. IIS is fully integrated with Window Server, therefore, you can use the built-in security features of Windows Server and NTFS (NT File System, NT File System) to build powerful, flexible, and secure Internet and Intranet sites.

(3) GFE

The number of Google web servers has soared. Iis is currently under pressure.

(4) Nginx

It is not only a small and efficient HTTP server, but also an efficient Server Load balancer reverse proxy, using it to receive user requests and distribute them to multiple Mongrel processes can greatly improve the concurrency of Rails Applications.

(5) Lighttpd

Developed by the German leader Jan Kneschke, the open-source WEB server software based on the BSD license is designed to provide a high-performance website, secure, fast, compatible, and flexible web server environment. It features low memory overhead, low CPU usage, good performance, and rich modules. Lighttpd is one of the many OpenSource lightweight web servers. Supports important functions such as FastCGI, CGI, Auth, output compress, URL rewriting, and Alias.

(6) Zeus

Is a very good Web Server running on Unix. It is said that the performance exceeds Apache, and is one of the most efficient Web servers.

 

(7) Sun's Java System Web Server

That is, the previous Sun ONE Web Server. It mainly appears on critical task-level Web servers running Sun's Solaris operating system. The latest version is 6.1, which supports x86 Solaris, Red Hat Linux, HP-UX 11i, ibm aix, and even Windows, however, most of its users select the Solaris operating system of the iSCSI version.

(8) Resin

Provides the fastest jsp/servlets running platform. With the support of java and javascript, Resin can flexibly select an appropriate development language for tasks. XML stylesheet language (XSL), an advanced language of Resin, can separate the form from the content.

(9) Jetty

Is an open-source servlet container that provides runtime environments for Java-based web content, such as JSP and servlet. Jetty is written in Java and Its APIs are released in the form of a set of JAR packages. Developers can instantiate the Jetty container into an object and quickly provide network and web connections for some Java applications that run independently (stand-alone.

(10) BEA WebLogic

Is a Java application server used to develop, integrate, deploy, and manage large-scale distributed Web applications, network applications, and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standards into the development, integration, deployment and management of large-scale network applications. BEA WebLogic Server has the performance, scalability, and high availability required to handle critical Web application system problems.

(11) Tomcat

It is a core project in the Jakarta project of the Apache Software Foundation. It is developed by Apache, Sun, and other companies and individuals. With Sun's participation and support, the latest Servlet and JSP specifications can always be reflected in Tomcat. Because of the advanced Tomcat technology, stable performance, and free of charge, Tomcat is favored by Java enthusiasts and recognized by some software developers. It has become a popular Web application server.

 

7.2common software for Web Server Vulnerability attacks

 

(1) The Metasploit framework is an open-source platform for development, testing, and startup of attack code. We can use it to develop attack code or use the provided code to launch attacks. It has excellent scalability. At http://www.metasploit.com/we can get all the information about metasploit, and download images installed on different platforms.

(2) N-Stealth

N-Stealth is a commercial Web server.

Security Scanner. It is more frequent than some free Web scanning programs, such as Whisker/libwhisker and Nikto, it claims to contain "30000 vulnerabilities and vulnerability programs" and "a large number of vulnerability checks are added each day", but such claims are questionable. Note that all common VA tools, such as Nessus, ISS Internet components, Retina, SAINT, and Sara, contain Web scanning components. (Although these tools do not always maintain software updates, they are not necessarily flexible .) N-Stealth mainly provides scanning for Windows platforms, but does not provide source code.

 

(3) Burp suite

Allows attackers to enumerate, analyze, and attack web programs by combining manual and automatic technologies. These different burp tools work collaboratively to effectively share information and support attacks based on the information in a tool.

(4) Nikto

It is an open-source and powerful WEB scanning and evaluation software that can be used to test various security projects of web servers, it can scan more than 230 types of potentially dangerous files, CGI and other problems on more than 2600 servers, it can scan the WEB type, host name, specific directory, COOKIE, specific CGI vulnerability of the specified host, and return the http mode allowed by the host. It also uses the LibWhiske library, but is usually updated more frequently than the Whisker. Nikto is one of the necessary WEB audit tools for network management security personnel.

(5) Paros proxy

Java-based Web application vulnerability assessment proxy. Supports real-time editing and viewing of HTTP/HTTPS information, such as modifying content in cookies and table fields. It includes web communication recorder, web thief, hash calculator, and a common web program attack scanner, such as SQL injection and cross-site scripting.

(6) Others

WebScarab

WebInspect

Whisker/libwhisker

Wikto

Acunetix Web Vulnerability

Watchfire AppScan

Jiansha BetaV7.6.8 integrated Web Information intrusion detection tool