Web Servers store the web pages and provide them to the client upon request processed through HTTP which is the basic protocol to give out information on world wide web. The actual role of web servers is dependent on the way they are implemented; however, the generic web servers store HTML or server-side scripting files such as PHP, ASP, etc. that generate HTML files on-the-fly. Web servers may also interact with databases in case they are implemented in a way to fetch information from databases and provide them in a specific HTML format.
In the entire architecture, HTTP plays a crucial role as a protocol entrusted with the transfer of information from the client to server and vice-versa. Naturally, the network is prone to attack from hackers who attack the web servers in many ways to gather information they are not authorized to access. Firewall that is responsible for protecting the web servers from such attacks can only prevent certain types of unauthorized access including outbound access and hacks on OS network services.
Traditional hacking concepts have taken a backseat as web security has been beefed by advanced techniques. However, hackers have come up with several advanced means of attacking web servers like URL interpretation, session hijacking, HTML injection, SQL injection, etc. that are hard to prevent but certainly not impossible. There are firewalls in all network rollouts but everybody knows about the limitations of the firewalls in preventing web server attacks.
The Vulnerabilities Of Web Servers That Make Them Prone To Attacks
- Vulnerabilities in the implementation of TCP/IP protocol suit are the most exploited of them all.
- Exploitation of authentication loopholes and session identifiers.
- Manual modifications of the URL parameters.
- Issues in verification of input data.
Types of Web Server Attacks and their Preventions
The type of web server attacks are many and so are the prevention techniques. Firewall offers the certain degree of prevention but is not foolproof. Apart from the generic firewall, there is an advanced level of security that needs to be implemented to ensure complete safety of the web servers.
URL Interpretation Attack
This attack is also called URL poisoning as the attackers manipulates the URL by changing its semantics but keeping the syntax intact. The parameters of the URL are adjusted so that information beyond what is intended can be retrieved from the web server. This type of attack is quite common with CGI-based websites.
To understand how this type of attack is perpetrated, we can take an example of an email application where the users can reset their email password by answering a security question. After the security question is answered correctly, the application opens a page where the user can set an alternative email address. The page that receives the request lets the users reset the password and has all the login credentials of the user. Using URL interpretation, the URL that carries the request to fetch the details of a user and send it to the alternative email id provided, can be modified to fetch the detail of another user. Thus, URL interpretation attack makes the information of other users vulnerable.
URL interpretation attack can be prevented by implementing a fix that is usually supplied by a vendor and also through in-depth checking and verification of the web server configuration.
SQL Injection attack
As the name suggests, SQL injection attack aims to modify a database or extract information from it. An SQL query with parameters from the URL is fed to the database that has the ability to alter the data. The stored procedures in the database can also be executed through SQL injection and database can be made to do things, it is intended to do only when desired by the authorized personnel.
When this attack is conducted, there are chances of backend database server to be compromised and it can be catastrophic for a company. The vulnerability that this type of attack exploits is the scenario where the SQL query is permitted to be executed without validating the input data. Websites that are most likely to be attacked using this type of attack are e-commerce websites that have huge database comprising users™ information.
SQL injection or SQL poisoning is an attack that also does not have an easy fix and it requires a thorough review of the source code, following least privilege for DB applications and deleting redundant and unnecessary database users and procedures.
Input Validation attack
Input validation attack is an attack on the web server where the server executes a code injected by a hacker to the web server or the database server. There are many input types that need to be validated before execution including data type, data ranges, and others. By executing the code with inputs that are not validated, information can be retrieved or modified by the attacker.
When it comes to input validation attack, there are really no countermeasures. The only preventive measure is following a good coding practice. The code should have the provision for validating all the inputs like data types, data ranges, meta characters and buffer sizes.
Buffer Overflow Attacks
Buffer Overflow attack implies the deliberate overflowing of the buffer memory that is reserved for the users™ input. When an application awaits a users™ input, it allocates a stack with a memory location where the input data by the user is fed. The attackers flood this space by writing arbitrary data so that the memory stack is full and the users deny the service. This is one of the ways to perform denial of service attack which is dealt with in more detail further.
Another aspect of this type of attack is that the hacker can feed an executable command in the stack. Although, the surety of the execution of the command is dependent on the return address that is specified by the hacker. After the stack recovers from the crash, it goes to the return address and if it has been changed and replaced with one that falls within the desired range, the command may execute and grant entry to certain sections of the web server.
In the case of buffer overflow attacks, the best way to mitigate is the vendor supplied specific fixes. However, checking the bounds within the application can be effective. Buffer overflow testing and source code review are often regarded as good countermeasures.
Impersonation attack is also called IP spoofing where the hacker pretends to be accessing the web server with an IP that is actually impersonating an IP that has the access to the web server. There are special programs that the hackers make use of, to create an IP packet that appears to be originating from the intranet and hence gain entry to the section of the web server that is intended to be accessed only by the authorized personnel.
Impersonation attacks exploit the vulnerability of the authentication protocols and get unauthorized access to the web servers and the databases. Such attacks can be countered by having a strong authentication module and identification of the traffic coming towards the server.
Countermeasures for impersonation attacks are locking down of web configurations. Also there should be a firewall that tracks the source of IP from where the request is being directed to the web server. In case the impersonation is being done using cookie, obfuscating them is a good solution so that manipulating the cookies is not possible.
The authentication system of a web server is often based on the password that identifies a valid user and grants access to the web server. If the hacker can, by any means, get your username and password, he or she can access the information that only you are supposed to access. The older applications do not have strong authentication system and this makes it easy for the eavesdroppers to get through the authentication process.
Breaking a password is not easy and there are certain algorithms that the hackers deploy to guess the password and gain access to the network. Once hackers get access to the network, they can modify the configuration to make it easy for them to hack the network again if normalcy is restored in the website by attempts from the network engineers.
Preventing password based attacks is keeping the password long and complex and also have additional security measures to protect the database that stores the password. Cryptographic storage of password is also highly recommended.
Denial of Service Attacks
Denial of service attack (DOS) is an attack where the server denies serving the users with a response to their request. This attack is performed by several means and buffer flow is one of them. It is an effective and naturally one of the most popular ways of attacking the web server. The attackers after gaining access to the network randomize the attention of the security system experts so that they do not become aware of the attack immediately so that they can exploit the web server in other ways.
DOS attacks are performed by overwhelming the web server in numerous ways including sending invalid data as input that causes application termination, flooding the web server with automated request causing a crash, blocking the traffic resulting in loss of access to the users. DOS attacks are categorized under volume attack, protocol attack, and Application layer attack.
Prevention of DOS attacks from anonymous sources can be ensures by implementing a web server firewall that inspects the entire HTTL traffic and stop any data packet that appears malicious and generating from a source that is not authorized. Network audit trail must be maintained so that the changes done over a period of time can be tracked with ease. The network must also be tested locally as well as on the internet.
Brute Force, as the name suggests, implies cracking the username, password combination by using all possible iterations. This is a basic form of web server attack and is implemented when the hackers have a clue that weak passwords have been used in the authentication. The chance of brute force working is maximum when no other security measures are there besides password authentication.
The trick to prevent this type of attack is to create passwords that are long and comprise complex characters not used commonly. Also, there should be provision in the network to limit the number of attempts of unsuccessful login. After a certain number of unsuccessful attempts of login, the account may be locked. However, this is not seen as a practical solution. CAPTCHA can also be used in order to add an extra layer of security to prevent brute force attack.
Source Code Disclosure
Through Source code disclosure attack, the attackers are able to retrieve the application files without using any parsing. The source code of the application is recovered and then it is analyzed to find loopholes that can be used to attack the web servers. It is often caused when the application is designed poorly or there are errors in the configuration.
Source code disclosure is said to be taken place when the attacker is able to access the source code of the server-side scripting language such as PHP or ASP. Net. These codes are not meant to be seen by any person other than the authorized programmers.
Attack through implementing source code disclosure attack can be nipped in the bud by conducting a thorough check on the web server proxy configuration. Also, care should be exercised while creating URL mappings to the internal servers.
HTTP is a stateless protocol while all the web applications have states. When the tracking of these states is based on poor mechanism, session hijacking becomes easy for the hackers. It is also called cookie hijacking because a web server determines the session with a user based on the cookie. The cookie stored on the users™ computer is stolen by the hijacker by either intercepting it through the access to the network or through a previously saved cookie. Sniffing programs are used to perform this attack in an automated manner.
Preventive measures to tackle session hijacking attack are using server side tracking id, matching every connection with time stamps and associated IP address. Sessions Ids if generated cryptographically will be tough to decipher. Use of server session management API is also quite useful in the prevention of session hijacking attacks.
Impact of web server attacks
The impact of these attacks can range from website defacement to information theft. Intrusion in the web server may have some other serious implications like the modification of the data and especially, users™ information. All this might lead to bad name for a company and the customers losing faith in it. Prospective users will be scared of sharing personal data with the brand again considering their inability to keep the data confidential in the past.
Attacks such as source code disclosure can be catastrophic for the websites as the source code sometimes contains login names and password along with the business logic that is devised after a lot of brainstorming and expenditure of resources. Denial of Service (DOS) attacks also have serious implications on the website. The credibility of the website is marred and users detest such websites because of their bitter experience of denial.
Not all attacks are for theft of information, but for the defacement of the website. Hackers do it to disrupt the normal operation of the website and driving the users away from it by exposing its vulnerability.
In order to safeguard the information that is stored on the web server, these web server attacks need to be prevented at all costs. As they say, complete information is the precursor to prevention, almost all types of web server attacks that threaten the web security have been mentioned and the methods of prevention of these attacks have also been discussed in detail. These points will go a long way in setting up a web server that is secured from all kinds of attacks.