Over the past decade, more individuals have access to the internet than ever before. Many organizations develop web-based applications, which their users can use to interact with them. But improper configuration and poorly written codes in web servers are a threat and can be used to gain unauthorized access to the servers' sensitive data.
This article tries to give an overview on Web Servers. We will be covering some topics which include working of a server, top web servers in the industry,web server vulnerabilities, web server attacks, tools and some counter measures to protect against such attacks.
Among the biggest web server attacks was the breach of GitHub in 2018.
GitHub is the most popular online code management service used by millions of developers. On February 28, 2018 it was hit by the largest ever DDoS attack The platform was not prepared for the massive influx of traffic, which peaked at a record-breaking 1.3 terabits per second.
In this attack, there was no involvement of botnets, but instead, attackers used a method called mem caching; a caching system used to speed up websites and networks. The attackers could spoof GitHub’s IP address and then massively amplify the traffic levels directed at the platform.
Luckily, within 10 minutes of the attack the company could contain and stop the attack from continuing as the company was using a DDoS Protection Service.
What are Web Servers?
Web servers are hardware, computer, or software, used to host websites. Web servers run on various operating systems connected to the back-end database and run various applications. The use of Web Servers has increased in past years as most online services are implemented as web applications. Web servers are mostly used in web hosting or the hosting of data for websites and web applications.
How does Web Server work?
A web server can be accessed through a websites' domain name. It ensures delivering the site's content to the requesting user by using Hypertext Transfer Protocol (HTTP). A Web server can be considered to be a hardware that is used to store or host the Web server's software and files related to websites. So a web server can be used to indicate the hardware or software or both together. It is used in the transfer of files, email communications, and for many other purposes. Web servers are so powerful that they can efficiently deliver the same file or any other file to thousands of website visitors simultaneously. Web Server Security Issue
Web Servers may be vulnerable to network-level attacks and operating system attacks. Web Server as a hardware is used to store Web server software and files related to websites such as images, scripts, etc. Usually, an attacker will target vulnerabilities in the configuration of the web server and exploit it.
Some Vulnerabilities may include :
- Inappropriate permissions of the directory
- Lack of security
- Bugs
- Misconfigured SSL certificates
- Enables unnecessary services
- Default setup
Top 3 standard Web Server software
- Apache HTTP Server - This is the most common server used in the industry. Apache Software Foundation develops it and it is a free and open-source software for Windows, Mac OS, Linux, and many other Operating systems.
- Microsoft Internet Information Services (IIS) - Microsoft develops this software for Microsoft platforms. It is not free or open-source.
- Nginx - This free and open-source software was created by Igor Sysoev and publicly released in 2004. This web server can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache.
Web Server Attacks
Web Server Attacks include many techniques. Some of them are provided below:
Denial of Service where an attacker attacks by sending numerous service request packets overwhelming the servicing capability of the web server, resulting in crashing and unavailability for the users.
DNS Server Hijacking, is also known as DNS redirection, where an attacker modifies DNS configurations. DNS redirection's primary use is pharming, where attackers display unwanted ads to generate some revenue, and Phishing--where attackers show fake websites to steal credentials.
DNS Amplification Attack -
A DNS Amplification Attack happens when an attacker spoofs the lookup request to the DNS Server with the DNS recursive method. The size of the requests results in a Denial of Service attack.
Directory Traversal Attacks -
Directory traversal, also is known as Path Traversal, is an HTTP attack that allows attackers to access restricted directories and reveal sensitive information about the system using dot and slash sequences.
Man in the Middle Attack -
A Man in the Middle / Sniffing attack happens when an attacker positions himself between a user and the application to sniff the packets. The attacker's goal is to steal sensitive information such as login credentials, credit card details, etc.
A Phishing attack is a social engineering attack to obtain sensitive, confidential information such as usernames, passwords, credit card numbers, etc. It is a practice of fraudulent attempts that appear to come from a reputable source. Scammers mostly use emails and text messages to trick you in a phishing attack.
Website Defacement is an attack where an attacker changes the website/web page's visual appearance with their messages. SQL injection attack is mainly used in web defacement. An attacker can add SQL strings to craft a query maliciously and exploit the webserver.
Web Server Misconfiguration -
Web Server Misconfiguration is when unnecessary services are enabled, and default configurations are being used. The attacker may identify weaknesses in terms of remote functions or default certifications, and can exploit them. An attacker can easily compromise systems by some attacks such as SQL Injection, Command Injection.
HTTP Response Splitting Attacks -
HTTP Response Splitting is a straightforward attack when the attacker sends a splitting request to the server, which results in the splitting of a response into two responses by the server. The second response is in the hand of the attacker and is easily redirected to the malicious website.
A web cache is an information technology for storing web documents such as web pages, passwords and images temporarily. Web Cache Poisoning is a technique where the attacker sends fake entry requests to the server, wipes out all the server's actual caches and redirects the user to the malicious website.
SSH Brute Force Attacks -
Brute force is where an attacker uses trial and error to guess login info by submitting many passwords or paraphrases. In an SSH Brute force attack, the intruder brute forces the SSH tunnel to use an encrypted tunnel. The encrypted tunnel is for communicating between the hosts. Hence, the attacker gains unauthorized access to the tunnel.
Web Server Password Cracking Attacks -
In this attack, the attacker cracks the server password and uses it to perform more attacks. Some of the common password cracking tools are Hydra, John the Ripper, Hashcat, Aircrack, etc.
Hacking Methodology
Information Gathering is a process of gathering different information about the victim/target by using various platforms such as Social engineering, internet surfing, etc.
Footprinting is a crucial phase where an attacker may use different tools to gather information about the target. In this phase, an attacker uses passive methods to find information about the victim before performing an attack. The attacker keeps minimum interactions with the victim to avoid detection and alerting the target of the attack. Footprinting can quickly reveal the vulnerabilities of the target system and can exploit them. There are various methods to gather information such as Whois, Google Searching, Operating system detection, network enumeration, etc.
In webserver footprinting, information is gathered using some specific tools that are focused on web servers such as Maltego,httprecon, Nessus, etc. resulting in details like operating system, running services, type, applications, etc.
1. Vulnerability Scanning -
Vulnerability scanning is the next process taken after performing footprinting to precisely target the attack . A vulnerability scanner is a computer program made to discover system weaknesses in computers and networks. Some methods used in vulnerability scanning are port scanning, OS detection, network services, etc. Common tools used for scanning are Nmap, Nikto, Nessus, and many more.
Different Types of Vulnerability Scanning
Vulnerability Scanning is classified into two types: unauthenticated and authenticated scans.
- Authenticated Scan: In this, the tester logs in as a network user and finds the vulnerabilities that a regular user can encounter. He also checks all the possible attacks by which a hacker can take benefit.
- Unauthenticated Scan: In this, the tester performs all the scans that a hacker would likely do, avoiding direct access to the network. These points can reveal how to get access to a network without signing in.
2. Session Hijacking -
Session Hijacking/ cookie hijacking is an exploitation of the web session. In this attack, the attacker takes over the users' sessions to gain unauthorized access to get information about its services. Session hijacking mostly applies to web applications and browser sessions.
The attacker needs to know the Session-Id (session key ) to perform session hijacking successfully. It can be obtained by stealing the session or just by clicking on some malicious links provided by the attacker. Once the attacker gets the key, he can take over the session using just the same session key, and the server will now treat the attacker's connection as the initial session.
3. Password Attacks -
Password cracking is a method of extracting passwords to gain authorized access to the legitimate user's target system. Password cracking can be performed using social engineering attack, dictionary attack, or password guessing or stealing the stored information that can help obtain passwords that give access to the system.
Password Attacks are classified as:
- Non-Electronic Attack
- Active Online Attack
- Passive Online Attack
- Default Passwords
- Offline Attack
Looking to boost your career? Discover the benefits of ITIL certification! Our ITIL exam cost is affordable, making it accessible to all. Don't miss this opportunity to enhance your skills and stand out in the competitive IT industry. Enroll today and take your career to new heights with ITIL.
Defensive measures to Protect Webserver
For Securing a web server from internal and external attacks or any other threat, the essential recommendation is to keep it in a secure zone. Security devices like firewalls, IDS, and IPS must be deployed. Maintaining the servers in an isolated environment protects them from other threats.
Website Change Detection System is a technique used to detect any unexpected activity or changes in the Web server. Scripting is focused on inspecting any modifications made in the files used to detect hacking attempts.
To defend a web server from attack, do ensure that services on the web server are minimized. Disable all unnecessary and insecure ports. Always allow encrypted traffic only. Disable tracking. Continuously monitor your traffic to ensure there is no unauthorized activity. Use Port 443 HTTPS over 80 HTTP to secure web browser communication.
Conclusion:
In this article, we learnt about working of the web server, security issues, and hacking methodologies with various examples. As an ethical hacker it is important to know about the common web server attacks, and understand the use of best practices and defensive measures to protect web servers against any attack.