Port 80 is standard for web- sites and it can have many different problems of safety. These holes can allow hacker to obtain administrative access to web- site, or even to web- server himself. This article examines some signatures, characteristic for such attacks, and also that the fact that one should search for in the ravines.

Simple signatures

In this division you will find the standard tracks of breaking web- servers and web- applications. You will not see here all possible versions of attacks, but you learn, as they usually appear these signatures they will envelop the majority of the known and unknown holes, which hackers can use against you. Also is here described, for which is used each of the signatures, or as it can be used for the attack.

Demands "." ".." and "..."

These are the most frequently meeting signatures of attacks both in the web- applications and in web- servers. They are used by a hacker or a worm for changing the directories on the server in order to obtain access to the non-public area. Majorities CGI- holes contain the demands of "..".

Example:

http://host/cgi-bin/lame.cgi?.file=../../../../.etc/motd

This command shows to hacker "Message of the Day". If hacker has the capability to examine on your web- server of directory out of web- root, he can gather sufficiently information for obtaining the necessary privileges.

Demands "%20"

This is the hexadecimal value of the symbol of gap. Its presence yet does not mean that they attacked you, since some web- applications use it with the legitimate demands. However, this demand also can be used with the starting of commands. So that you be attentive with checking of lairs.

Example:

http://host/cgi-bin/lame.cgi?.page=.ls%20-.al| (stereotyped for UNIX- systems command ls of -.al)

In this example it shows, as hacker it starts command ls under UNIX with the transfer by it argument. This argument gives to hacker the complete listing of directory, which can soak to hacker obtain access to the important files in your system or prompt as obtain additional privileges.

Demands "%00"

This is the hexadecimal code of zero byte. It can be used in order to deceive web- application, as if another file was inquired.

Example:

http://host/cgi-bin/lame.cgi?.page=.index.html

The shown example can be the permitted demand on the server. If hacker reveals this, he for sure uses demand for the search for holes on it.

http://host/cgi-bin/lame.cgi?.page=../../../../.etc/motd

Web- application can forbid this demand, if it checks so that the names is file they would conclude to..htm..html..shtml, or other permitted expansions. Many applications will calculate the inquired type of file by that not admitted. And they will often give the answer to hacker, that the file must have the permitted type. Thus hacker can obtain the names of directories, is file, and then, possibly, to gather more than information about your system.

http://host/cgi-bin/lame.cgi?.page=../../../../.etc/motd%00..html

The application considers with this demand that the name of file relates to the permitted type. Some web- applications badly conduct testing to the correctness of the demand of file; therefore this is the frequent method, utilized by a hacker.

Demands "|"

Vertical feature (pipe), is frequently used in UNIX for the starting of several commands simultaneously in one demand

Example:

cat access_.log| grep -.i ".."

(this example shows checking ravine to the presence of the demands of "..", which are frequently used by hackers and worms.) Web- applications frequently use this symbol; therefore its presence in ravines can prove to be false alarm. In order to lower the frequency of false alarms, the thorough analysis of your software and its work is necessary.

Several examples:

http://host/cgi-bin/lame.cgi?.page=../../../../.bin/ls|

This demand is usual call "ls". The different versions of this demand are given below.

http://host/cgi-bin/lame.cgi?.page=../../../../.bin/ls%20-.al%20/.etc|

This demand issues the complete listing of directory "etc".

http://host/cgi-bin/lame.cgi?.page=.cat%.20access_.log|.grep%20-.i%20".lame"

This demand starts command "cat", and then "grep" with the argument "- i".

Demand ";"

This symbol makes it possible to start several commands in one line in UNIX- system.

Example:

id;.uname -.a (it is started command "id", then "uname")

Web- applications frequently use this symbol; therefore are possible false alarms. I will repeat, the thorough study of your software and its work will lower the level of false alarms.

Demands "<" and ">"

These symbols should be checked in the ravines for many reasons, the first of which in the fact that they are used for the data output into the file.

Example 1:

echo "your hax0red h0 h0" > > /.etch/motd

(this the example to the record of information into the file.) Hacker can use this demand for example for deface of your website. Famous exploit RDS from rain.forest.puppy he were frequently used by hackers for information input into the main page web- sites. Examples of broken up web- sites with the white pages, without the formatting, search for on attrition.org.

Example 2:

http://host/something.php=<.b>.Hi%.20mom%.20I'm%.20Bold!</.b >

This is example cross- sieve of scripts attack. HTML TEG use symbols "<" and ">". Although this attack does not give to hacker access to the system, it can be used for deception of people relative to the adequacy of information on the site. (it is certain, they should visit reference necessary to hacker. This demand can be disguised by coding symbols in the hexadecimal form in order not to be so obvious.)

Demands "!"

This symbol frequently is used in SSI (Server Side Include) attacks. This attack can give to hacker the results, analogous to the previous attack, when the deceived user presses on the reference.

Example:

http://host1/something.php=<!%20 - #.include%.20virtual=".http://host2/fake-article.html" - - >

In this example is joined the file with host2, in this case the impression is created, as if it is located on host1. As past time, for fulfilling the attack user must visit necessary to hacker reference.

Furthermore, this makes possible for hacker to start commands on your system with the rights of user web- server.

Example:

http://host/something.php=<!%20#<! - #.exec%.20cmd=".id" - - >

It starts command "id" on the remote system. It must show user id web- server, who usually is called "nobody" or "www".

Also this can allow the connection of those hidden it is file.

Example:

http://host/something.php=<!%20 - #.include%.20virtual="..htpasswd" - - >

This command joins the file of..htpaswd. This file must not be accessible to each, and into Apache even build it the rule, which forbids access to .ht. SSI TEG goes around this, which can cause problems with the safety.