--------------------------------------------------------------------------- Section 00 General Info --------------------------------------------------------------------------- 00-1. What is this "FAQ" for? This FAQ contains information about hacking via the World Wide Web. I compiled the Netware Hack FAQ, and decided to compile a Web Hack FAQ after discovering how many issues are involved with the web and security. I plan on showing the what and how regarding web hacking, and by illustrating this in explicit detail show how sys admins can improve security and prevent break-ins. Most of the information in this FAQ was compiled and collected from various sources freely available on the Internet. Furthermore, I've used the NMRC lab and "field research" ;-) to test the ideas here. I expect this FAQ to be more of a "hot potatoe" than the Netware Hack FAQ, namely because most Netware servers are not accessible via the Internet, while web servers certainly are. While this FAQ is written from the intruder point of view, it obviously will help administrators get an idea of where to look for when it comes to systems vulnerability. Who knows? Maybe you admins can use this document to get that budget increase for security ;-) --------------------------------------------------------------------------- 00-2. What is the origin of this FAQ and how do I add to it? Send comments about info in this FAQ to thegnome@fastlane.net. Simple flames about typos, the "that's not right" one liners will be ignored. If you wish to contribute corrections please include your research and source of facts. Also if you wish to add your information, I will include it if I can include your email address, unless I can verify the info independently. This way if someone has questions, they can bug you, not me. I've tried to personally test all of these "exploits" in my lab when possible, and I try to test on other's equipment when I do not have a certain revision of software or OS. So let me know if some of these items do NOT work for you, and under what circumstances. --------------------------------------------------------------------------- 00-3. Is this FAQ available by anonymous FTP or WWW? The FAQ is available as a plaintext file, or as a set of HTML docs. Plaintext, it in the following location: http://www.nmrc.org/files/sunix/3wfaq3.zip http://www.nmrc.org/files/sunix/3wfaq3.tgz Entire FAQ Online: USA: http://www.nmrc.org/faqs/www/index.html --------------------------------------------------------------------------- 00-4. What conventions are used in this document? There are so many different versions of browsers and servers, I can't give details and hacks on everything. So I'll try and generalize where I can, and concentrate on the most common platforms. So here are the assumptions: - Unless specified, I'm refering to a Netscape browser on Microsoft OS. - Unless specified, I'm refering to free server software that supports forms running on Unix. --------------------------------------------------------------------------- 00-5. What is needed in this FAQ? Tons of info. I have virtually nothing on Internet Explorer, and not a lot on Netscape 3.x. I need more on servers, and more code examples. I need info on ActiveX. I'd also like more example attacks and how they look in log files. Actually, if it is not in here, I need it. Bear in mind the flavor here is from the attacker's point of view. While I'm interested in securing a web server, I do not need "do this because it's more secure"-type contributions. I need the exploit code to go along with it, or at least enough info for me to run with it. I know this offends some people, but hey, I get one flame mail for every ninety "thank you's" from administrators on this type of stuff. --------------------------------------------------------------------------- 00-6. Where can I get more info regarding Web security? There are a number of books available at large bookstores in the computer section, but these usually do not cover security in great detail. Often they don't tell you why something is a security hole so a person securing a Web server may not have all of the facts. And if you're a hacker looking for holes, they are rarely in print in books (publishers are too conservative). Most of the common security newsgroups touch on Web-related topics at one point or another, and for the future intruder you're certainly going to have to know more about a Web server, like about the OS running under it. All security-related newsgroups and mailing lists should be considered resources. Here are a few good sources on the Web just for Web security: The Web security FAQ - http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html CGI Security - http://www.cerf.net/~paulp/cgi-security More info on Java applets for bad guys - http://www.math.gatech.edu/~mladue/HostileApplets.html ---------------------------------------------------------------------------