WHAT YOU NEED TO KNOW ABOUT WEB SERVERS

 WHAT YOU NEED TO KNOW ABOUT WEB SERVERS

A web server is just a piece of software running on the operating system of a server that allows connections to access a web application. The most common web servers are Internet Information Services (IIS) on a Windows server and Apache Hypertext Transfer Protocol (HTTP) Server on a Linux server. These serv-ers have normal directory structures like any other computer, and it’s these direc-fories that house the web application.

If you follow the Windows next, next, next, finish approach to installing an IIS web server, you will end up with the default C:\Inetpub\wwwroot directory struc-ture where each application will have its own directories within wwwroot and all vital web application resources are contained within it.

Linux is more varied in the file structure, but most web applications are housed in the /var/www/ directory. There are several other directories on a Linux web server that are especially relevant to web hacking:

■ /etc/shadow: This is where the password hashes for all users of the system reside. This is the “keys to the kingdom”!

■ /usr/lib: This directory includes object files and internal binaries that are not intended to be executed by users or shell scripts. All dependency data used by the application will also reside in this directory. Although there is noth-ing executable here, you can really ruin somebody’s day by deleting all of the dependency files for an application.

■ /var/*: This directory includes the files for databases, system logs, and the source code for web application itself!

■ /bin: This directory contains programs that the system needs to operate, such as the shells, ls, grep, and other essential and important binaries. bin is short for binary. Most standard operating system commands are located here as separate executable binary files.

The web server is a target for attacks itself because it offers open ports and access to potentially vulnerable versions of web server software installed, vulnerable versions of other software installed, and misconfigurations of the operating system that it’s running on.

WHAT YOU NEED TO KNOW ABOUT HTTP

The HTTP is the agreed upon process to interact and communicate with a web application. It is completely plaintext protocol, so there is no assumption of security or privacy when using HTTP. HTTP is actually a stateless protocol, so every client request and web application response is a brand new, independent event without knowledge of any previous requests. However, it’s critical that the web application keeps track of client requests so you can complete multistep transactions, such as online shopping where you add items to your shopping cart, select a shipping method, and enter payment information.

HTTP without the use of cookies would require you to relogin during each of those steps. That is just not realistic, so the concept of a session was created where the application keeps track of your requests after you login. Although sessions are a great way to increase the user-friendliness of a web application, they also provide another attack vector for web applications. HTTP was not orig-inally created to handle the type of web transactions that requires a high degree of security and privacy. You can inspect all the gory details of how HTTP operates with tools such as Wireshark or any local HTTP proxy.

The usage of secure HTTP (HTTPS) does little to stop the types of attacks that will be covered in this book. HTTPS is achieved when HTTP is layered on top of the Secure Socket Layer/Transport Layer Security (SSL/TLS) protocol, which adds the TLS of SSL/TLS to normal HTTP request and responses. It is best suited for ensuring man-in-the-middle and other eavesdropping attacks are not suc-cessful; it ensures a “private call” between your browser and the web applica-tion as opposed to having a conversation in a crowded room where anybody can hear your secrets. However, in our usage, HTTPS just means we are going to be communicating with the web application over an encrypted communi-cation channel to make it a private conversation. The bidirectional encryption of HTTPS will not stop our attacks from being processed by the waiting web application.

HTTP Cycles

One of the most important fundamental operations of every web application is the cycle of requests made by clients’ browsers and the responses returned by the web server. It’s a very simple premise that happens many of times every day. A browser sends a request filled with parameters (variables) holding user input and the web server sends a response that is dictated by the submitted request. 

The web application may act based on the values of the parameters, so they are prime targets for hackers to attack with malicious parameter values to exploit the web application and web server.