Apache Security - Ivan Ristic [206]
For example, uploading a file archive.tar.gz (assuming the file upload field is named filename) to script upload.php is as simple as:
$ curl -F filename=@archive.tar.gz http://www.example.com/upload.php
The following is a brief but informative tutorial on HTTP scripting with Curl:
"The Art Of Scripting HTTP Requests Using Curl" by Daniel Stenberg (http://curl.haxx.se/docs/httpscripting.html)
Network-Sniffing Tools
When HTTP traffic flows over an unprotected channel, network-level traffic monitoring can be used for various purposes. Some of the possible uses are:
Monitoring who accesses what and when
Stealing authentication credentials
Stealing session tokens
It does not matter if the network is switched or not, if data is traveling unprotected, it can be sniffed. Here are the most popular network-monitoring tools:
Tcpdump (http://www.tcpdump.org)
Ethereal (http://www.ethereal.com)
Ettercap (http://ettercap.sourceforge.net)
Dsniff (http://monkey.org/~dugsong/dsniff/)
Ngrep (http://ngrep.sourceforge.net)
The combination of Tcpdump plus Ethereal has worked well for me in the past, and I propose you try them first.
There are a few commercial Windows-based network-monitoring tools (designed to work with HTTP) available. They are inexpensive, so you may want to give them a try.
HTTP Sniffer (http://www.effetech.com/sniffer/)
HTTPLook (http://www.httpsniffer.com)
SSLDump
SSLDump (http://www.rtfm.com/ssldump/) is an SSL network protocol analyzer. It can be used where most other network sniffing tools cannot, which is to look into the SSL traffic:
# ssldump port 443
I did say look, but the previous command will only be able to examine the structure of SSL traffic and not display the application data. That would defeat the point of SSL. However, ssldump can display application data, too, but only if it is provided with the private server key:
# ssldump -d -k key.pem host www.apachesecurity.net port 443
Web Security Scanners
Similar to how network security scanners operate, web security scanners try to analyze publicly available web resources and draw conclusions from the responses.
Web security scanners have a more difficult job to do. Traditional network security revolves around publicly known vulnerabilities in well-known applications providing services (it is rare to have custom applications on the TCP level). Though there are many off-the-shelf web applications in use, most web applications (or at least the interesting ones) are written for specific purposes, typically by in-house teams.
Nikto
Nikto (http://www.cirt.net/code/nikto.shtml) is a free web security scanner. It is an open source tool available under the GPL license. There is no support for GUI operation, but the command-line options work on Unix and Windows systems. Nikto focuses on three web-related issues:
Web server misconfiguration
Default files and scripts (which are sometimes insecure)
Outdated software
Known vulnerabilities
Nikto cannot be aware of vulnerabilities in custom applications, so you will have to look for them yourself. Looking at how it is built and what features it supports, Nikto is very interesting:
Written in Perl, uses libwhisker
Supports HTTP and HTTPS
Comes with a built-in signature database, showing patterns that suggest attacks; this database can be automatically updated
Allows the use of a custom signature database
Supports Perl-based plug-ins
Supports TXT, HTML, or CVS output
If Perl is your cup of tea you will find Nikto very useful. With some knowledge of libwhisker, and the internal workings of Nikto, you should be able to automate the boring parts of web security assessment by writing custom plug-ins.
Nikto's greatest weakness is that it relies on the pre-built signature database to be effective. As is often the case with open source projects, this database does not seem to be frequently updated.
Nessus
Nessus (http://www.nessus.org) is a well-known open source (GPL) security scanner. Scanning web servers is