Web Server Security Scanner Application Ali BULDU Fuat MUNINOGLU Resat MARZIOGLU Kazim YILDIZ Volkan Yusuf SENYUREK Abstract Internet world brings huge benefits to users and nearby it comes with so many security threats like; Stolen of credit card information, Grabbing of Web Site Domains, hacking e-mail accounts, gathering personal information and so on. Our aim in this application, understand web attack types, develop an algorithm according to the attack methods and writing a web security scanner to discover possible threats on web sites. Our resource belongs to the web security and attack based sites and documentation. We bring these different platforms together and develop our program in Python language that is also used by an important company called Google Object oriented programming Python; give us flexibility and fastest base[1]. Security Scanners do heavy process because of usage high Central Processing Unit(CPU) and Internet connection at the same time. Algorithm’s in the program and libraries that is used has an important effect on the speed of workflow. We only import the necessary modules from libraries. So this highly affects the program performance[2]. Our program does these functions ; Discovers, Common Gate way Interface , Remote File Inclusion, SQL Injection exploits on Web Server gathering the Web Server information. Keywords: Web Server Security, Security System, Application of Security Scanner
425
ICENSInternational Conference on Engineering and Natural Science, 15-19 May 2015, Skopje, Macedonia
1. INTRODUCTION There are two sides of danger in the internet security world, personal computer security and web server security, threating users and web hosting companies. This program and documentation is surely not enough to defend a system, but gives some information about where to begin defending your network. Simply exposing backdoors of websites. On the other hand, OsmanWS is showing, how the firewalls can be passed through easily. We developed this program for educational purposes and teach security experts how to close backdoor. We share the roles between each other in two parts. First part is the security expert, described how to use hacking methods and discovering Exploits; Second part is the coding and developed searching algorithms. The Web Security can be divided into two main subjects. These are Personal Computer Security and Host Security. Our project basis on the Host Security side.
2. WEB SERVER SECURITY 2.1. Personel Computer Security Most of thesecuritythreat of PC’s is based on user. Iftheuser is conscious about computer environments and knows the risk of Web Sites, he will get the highest personal computer security without getting any software& updates. Systems can be fixing for security threats and provide the highest security options for end users, but users can destroy the Security Wall so easy. User must have a secure personal firewall on the PC and have to configure it for best security and high performance. Usually, the personalfirewalls needs huge memory and it cause to reduce performance. It is an annoying side of security but user must know the importance of Personal information. The user, must upgrade the hardware if he needs more performance. Nowadays, Operating Systems come with a build in firewall for end user security. If the user wants to use other 3rd party Firewall & Antivirus Software, Operating Systems Firewall can be disabled for getting the highest performance. This is a way of increasing performance without changing hardware, but this is not recommended way. Most of virus& Trojan written for Windows Operating System because of its popularity. Flash disks, is the common house for hosting a virus & Trojan Horse. To avoid this, users must scan the disks usable & secure area with and updated antivirus tool without clicking on it.
2.2. Host Security There are lots of attack types of Web Hosts and this cause high security risk for end users and Companies. Most of the vulnerabilities reason is coding mistakes. If the input of the forms could not filter, users can read the database, change the fields and grab all the information. Coding mistakes are cloning every day, because of the Web Sites Templates. Templates are websites for ready to publish and they are using from persons and companies. Most of Web Site owners uses that template and get the common risk of the template. Templates has got own database and own structure. If the user not modifies this structure, he will most probably get into trouble about the host. In addition this, Web Server Infrastructure must have the high bandwidth and Intrusion Detection System (IDS) has to be stand for security. In figure 1 web server security scanner process can be seen.
Figure 1. Web Server Security Scanner
426
Web Server Security Scanner Application
3. WEB SERVER THREADS There is some common methodology to get hold of whole web server or website itself. We describe 3 methods and describe of avoiding mistakes in coding. Basic coding and configuration mistakes can cause big damage your entire system. • • •
Remote File Inclusion SqlInjection Common Gateway InterfaceInjection
3.1. Remote File Inclusion Remote File Inclusion (RFI) is technique which used to attack Internet websites from a remote computer. It uses a cross site scripting (XSS) to harm a web server. It attacks to allow malicious users to run their own PHP code on a vulnerable website. The attacker is used his malicious code in the space provided for PHP programs on a web page. There is simple code like this:
Files With these lines above, webmaster directed $page input to the web users. If we try http://localhost/index.php?page=http:// www.osmanws.info/ the page will directed to the www.osmanws.info.Hackers use http://www.harmfulshell.com/C99.php to get hold of entire system (The link placed at the end of the RFI ). Preventing RFI Injection Code Based Prevention ; RFI Occurs; $field= $id[field]; Fix; $field = “field”.$id; include, include_once, require, require_once, exec commands must use carefully. Configuration Based Prevention; With “disable_functions” you can secure your system easily. So injected Scripts like C99 shell will not affect your system.
427
ICENSInternational Conference on Engineering and Natural Science, 15-19 May 2015, Skopje, Macedonia
3.2. SQL Injection SQL injection is an attack; malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. SQL statements are constructed by any procedure that should be reviewed for injection vulnerabilities. SQL Server will execute all queries that it syntactically correct. SQL injection consists of direct insertion of code into user-input variables. SQL commands are used for concatenating. Malicious code is injected into strings that are destined for storage in a table or like a metadata for less direct attack. The malicious code is executed with strings are subsequently concatenated into a dynamic SQL command[3]. Figure 2 shows the SQL injection of the filter method.
Figure 2. Preventing SQL Injection (Filter Method)
3.3. Common Gateway Interface CGI (Common Gateway Interface) has become a standard platform for interaction between web services and the other applications. CGI is also a program. The CGI code that is called inside an HTML page merges Web’s static side with Dynamic functions [4]. Web Counter’s, are the most popular CGI applications in Web Pages. Web Counter’s are small applications calling from inside of Web Sites. CGI programs, refers real time a working principle. The other important application area of CGI is online forms, filled with web guests and this form return reply after processing at the server side.CGI programs are executable and the main threat is:“ CGI programs can be executed remotely ”. So, CGI programs must hosted in a demilitarized zone (DMZ) or an restricted area for the reason of grabbing internal information. CGI programs can be written in so many languages. Like; C, FORTRAN, Pascal, C++, Perl, UNIX Shell, Visual Basic, etc. If CGI is written in C or FORTRAN, it must be compiled. If you write the CGI codes in Perl or Unix Shell it can be executed directly because these called Script Environments. Nowadays, CGI loose popularity because of the high improvements in JAVA and JAVA Scripts. CGI is using the resource of the real system and they are hiring in the server. However, Java Applets and JavaScript have come from inside of HTML to with the call of web sorters. This is the important advantage of JavaScript according to the CGI. CGI Scripts are argumentative for Security experts. Because of the some of CGI Scripts prepared without checking security protocols and this can leave you in a big Security hole. These backdoor not only damage your web site also it can be used for destroy complete server by login system in with harmful shells. Professional hackers always leave a backdoor for re-hacking the system. Hackers are looking this backdoors with using Google Dorks or some scanners. Our aim is collect all scanners into one system so Security threats can easily discoverable [5]. If you want to search CGI threats in your system with Google Dork, you can use these keywords below; cgi-bin/password.txt,
428
Web Server Security Scanner Application cgi-bin/ornek.pwd
4. DEVELOPING OF PROGRAM 4.1. Program Workflow We coded the OSMAN Web Security program in Python language. Python is a dynamic object-oriented programming language that can be used for any software development. It can be learned in a few days and could offer support for other languages and tools. It has extensive standard libraries. Its users report substantial productivity for the development of higher quality, more maintainable code [6].
Figure 3. Flowchart of the program
4.2. Program Structure Program can discover possible CGI, RFI , SQL exploits in the web site and also collects some important web server information. First user has to enter a valid URL without http:// in to the top box, like www.osmanws.com. After that user has to choose the exploit types need to be scanned. There are three options CGI, RFI and SQL. We the more check box you select the longer you will wait Osmanws to finish process. As the last action we press to scan button and the process begins. After pressing scan button we have to wait until all boxes fill and we have to see scan complete caution in all threeboxes. This process may take several minutes. You can see which results are related to exploits and which one is hosting server information below [7] . After we scan a web site we can save results with clicking just one button (save all). This button will save all results with titles and will also save which backdoors you’ve scanned for this URL address. If you want to save only a specific part of the results you can select the partition and click save selected button. This button will also save the scanned doors into the word document. The word document mentioned is located in the folder that you have run Osmanws. The program must run at least one time to create register documents. The last button on the interface is clear all. This button clears all boxes for a new scan. In this work used python modules are: • Tkinter – For User Interface • BeautifulSoup – Forgrabbinghreflinks • Urllib – Urloperations • urllib2- ExtendedUrloperations, Errordedection • cgilinks – Includescommoncgiexploits
429
ICENSInternational Conference on Engineering and Natural Science, 15-19 May 2015, Skopje, Macedonia
Figure 4: Program Interface
Our SQL Exploit detection algorithm looks for the key error of SQLwith sending “ ‘ “ input at the end of the grabbed links. Error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' RFI algorithm is lookingforthedangerfunctionslikely “include”, ”require”, “include_once”, ”require_once”. Sowe can easilyfindtheweakpointsof system. In figure 5 when RFI algorithm is used we can see result screen.
Figure 5. GUI Explanation
CGI algorithm is searches common cgi bugs that are collected from all over the world. CGI algorithm’s result page can be seen in Figure 6.
430
Web Server Security Scanner Application
Figure 6. Showing mistakes in coding
5. CONCLUSION Digitalization of information needs high security precautions on coding and server infrastructure side. Prevention of hacking must grow parallel with the exploit and bugs. User input always has to be filtered and check twice. Server configuration has carefully done and unnecessary function must disable. Companies must do a penetration test in periodically. This prototype program has some qualifications different than others. Usually, educational coding formats scan only one type of exploits. OsmanWS is concerned on three types of exploits and three different scan algorithms, checking database responses, scanning template links and searching particular words in source code. We tried to make this process as simple as possible and easy to learn. Also, you can find how to use an object oriented programming language with object oriented programming methods. OsmanWS is written by using template python libraries and user developed python libraries (like urllib2). We also added our own library for template cgi links. Research period of thesis had very wide angel to examining hacking methods and using python as a security language so result is very complex for a simple prototype program. Hopefully, reader can have an idea about web security after studied these methods.
REFERENCES [1]. Phyton. 2013. http://www.python.org/[Online][AccessesJanuary 2013]. [2]. Litvhfield, D.,Anley, C., Heasman,J. &Grindlay, B. 2005. The Database Hacker’sHandbook. [3]. Anley, C. 2002. Advanced SQL injection in SQL serverapplications. White paper, NextGeneration Security Software Ltd. [4]. Harris, S.iHarper, A.,Eagle, c. &Ness, j. 2008. Gray hat hacking: theethicalhacker’shandbook, McGraw-Hill. [5]. PArdus. 2013. http://www.pardus.org.tr[Online][AccessedFebruary 2013] [6]. Pardus-Linux. 2013. http://wiki.pardus-linux.org.index/index.php/Phyton[Online].[AccessedFebruary 2013] [7]. Siddharth, S. 2008. MSSQL Server 2005 Login Information andsomeotherfunctions
431