Servers
The servers window allows for administration and viewing the status of your web servers within this policy.
You can use the buttons at the top of the window to add or remove servers from the policy and to push policy changes out to the servers within the policy.
= Add a Server
= Remove a Server
= Force a refresh of the screen
= Upload policy changes to the servers listed
Butterfly Security CodeSeeker Application Security Solution Help
19
Generic Behavior Signatures
Dot Detector
Path Traversal attacks allow a malicious user to access data, execute commands, or manipulate files outside the intended target path. Often these attacks are used to retrieve sensitive information such as usernames and passwords, system configurations, or application log files. In addition, Path Traversal attacks can allow malicious users to execute arbitrary commands, in most cases with the same permissions as the application being attacked giving access to any file allowable using those permissions.
Specifically, the Dot Detector looks for relative paths being sent to the server. By using .. in
URL's, malicious users can trick scripts, code and even some web servers into retrieving files or executing commands located outside of the intended directory space. The use of this strategy is one of the most common attack signatures.
Example http://someserver/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
This URL takes advantage of several vulnerabilities in IIS to allow the execution of arbitrary commands on a system. The ..'s in this example are used to navigate to the top of the directory structure so that the malicious user can execute the command shell in windows. In this example, the user is retrieving a directory of the c: drive.
Hidden file detector
Hidden files, those that begin with a . on UNIX, often contain sensitive configuration information.
They don't appear in a standard directory listing, so oftentimes people forget that they are actually there. The content of these files can contain access privileges, usernames, passwords or even logs with extremely sensitive information such as credit card numbers.
Example
http://somehost/.htpasswd
On a site moved from Apache to IIS often times the .ht* files are not removed. These can reveal sensitive information about different aspects of your system.
Butterfly Security CodeSeeker Application Security Solution Help
20
HT Configuration File Detector
Apache uses a set of .ht* files for per directory administration. These files allow users to tune and configure the web server’s behavior on a directory basis, without having to reconfigure the entire system. The information found in them makes them popular targets. Generally, Apache's default configuration prevents access to these files, but this doesn't help you if you've removed this check from your configuration, or you've migrated a site from an Apache server to iPlanet or
IIS.
Example
http://somehost/.htpasswd
Often the .ht* files are not removed on a site moved from Apache to IIS. These then can reveal sensitive information about different aspects of your system.
Common Command Detectors
When user input is not adequately checked, it may be possible to execute commands on the web server. Common Command Detectors examine requests for instances of common commands used by attackers to get important information or functionality from your web application.
Cmd.com Script Detector
The Cmd.com Detector looks for instances of command.com or cmd.com in the URL or query arguments of a request passed to the server. Attackers attempt to use these commands as they represent a Windows command prompt. If a malicious user is able to find a way to trick your code into executing either one of these commands, they will be able to execute any command on your system. This allows them to change files or install and execute programs.
The Directory Listing Command Detector looks for instances of /bin/ls in the url or the query arguments. This command is useful for allowing malicious users to get their bearings on where things are in your system and to locate and test areas of your system for command execution problems. Only in rare cases will a directory listing fail, so this is a nice conservative approach for malicious users to use to investigate the structure and vulnerabilities of a specific web application. For this reason, it is a popular signature to see during the exploration phase of an attack.
The ID Command Detector looks for attempted execution of the UNIX ID command. The ID command returns user identity for a specific user. Without any arguments, ID command gives detailed information about the user executing the command along with that user’s group membership. This information can be very useful to malicious users as it gives them an idea about what privileges their commands are being executed as. This can allow them to tune their attacks to avoid commands that will fail and potentially leave incriminating evidence in the log files.
The RM Command Detector looks for attempted execution of the RM command. The RM command allows malicious users to remove files. This is useful if they need to move a file out of
Butterfly Security CodeSeeker Application Security Solution Help
21
the way such as an .htaccess file that manages access control, or if they want to erase logs that may tip off administrators to their attacks.
The WGET Command Detector looks for attempted execution of the WGET command. WGET is a popular command line tool for fetching content from a web site. If this command is available to a malicious user, it makes it simple for that user to retrieve code and files from another web server. Malicious users will do this to install software that assists in breaking the defenses of a system, that installs a back door, or even just for those pretty graphics that they want to use when they deface your web site.
The TFTP Command Detector looks for TFTP (trivial file transfer program) activity. This program allows users to transfer files to and from a remote machine. Malicious users will do this to install software that assists in breaking the defenses of a system, that installs a back door, or even just for those pretty graphics that they want to use when the deface your web site.
The Echo Command Detector detects the echo command, which is often used in conjunction with redirection or a pipe, allowing a malicious user to create content that ultimately can end up in or replacing that of an existing file. This can be used to alter configuration files, add users to your system, or deface your web site.
The Perl Detector checks for Perl activity. Perl is a popular scripting language and system administration tool. It has a very powerful and extensive command set. Because of its popularity and power, it is a popular choice for attackers looking for ways to manipulate your system. In addition, many early IIS practices placed the perl executable in script directories of the web server. This made Perl and all its benefits available to malicious users.
Null Byte Detector
The Null Byte Detector checks for null byte activity. Within an HTTP query string, the null byte
(\000 || 0x00) can be used to alter URL input parameters such as paths, filenames, parameters, commands, etc. Web applications often pass data to underlying low level C-functions for further processing and functionality. If a given string AAA\0BBB is accepted as a valid string by a web application (or specifically the programming language), it may be shortened to AAA by the underlying (low level) C-functions. This occurs because C/C++ perceives the null byte (\0) as the termination of a string. Applications that do not perform adequate input validation can be fooled by inserting null bytes in critical parameters. This is normally done by URL Encoding the null bytes (%00). In special cases it is possible to use unicode characters.
Unicode Detector
The Unicode Detector detects Unicode activity. Unicode Encoding is a method for storing characters with multiple bytes. Wherever input data is allowed, data can be entered using Unicode to disguise malicious code and permit a variety of attacks. RFC 2279 references many ways that text can be encoded. Unicode was developed to allow a Universal Character Set
(UCS) that encompasses most of the world's writing systems. Multi-octet characters, however, are not compatible with many current applications and protocols, leading to the development of a few UCS transformation formats (UTF) with varying characteristics. UTF-8 has the characteristic of preserving the full US-ASCII range. It is compatible with file systems, parsers and other software relying on US-ASCII values, but it is transparent to other values. The
Butterfly Security CodeSeeker Application Security Solution Help
22