1.0 Introduction
One-way web hacking is a technique which relies purely on HTTP traffic to attack and penetrate web servers and application servers. This technique was formulated to demonstrate that having tight firewalls or SSL does not really matter when it comes to web application attacks. The premise of the one-way technique is that only valid HTTP requests are allowed in and only valid HTTP responses are allowed out of the firewall.
My research on one-way web hacking began as early as April 2000, when I was faced with the need to upload an arbitrary file on a compromised web server which had a restrictive firewall. Since then, many other techniques developed and the collection of all these techniques resulted into the creation of the one-way web hacking methodology.
One-way web hacking has been demonstrated at the Blackhat Briefings in Amsterdam 2001, Las Vegas 2001 and HACK 2002 in Kuala Lumpur.
1.1 Components of a generic web application system
There are four components in a web application systems, namely the web client which is usually a browser, the front-end web server, the application server and for a vast majority of applications, the database server. The following diagram shows how these components fit together.
The web application server hosts all the application logic, which may be in the form of scripts, objects or compiled binaries. The front-end web server acts as the application interface to the outside world, receiving inputs from the web clients via HTML forms and HTTP, and delivering output generated by the application in the form of HTML pages. Internally, the application interfaces with back-end database servers to carry out transactions.
The firewall is assumed to be a tightly configured firewall, allowing nothing but incoming HTTP requests and outgoing HTML replies.
1.2 URL mappings to the web application system
While interacting with a web application, the URLs that get sent back and forth between the browser and the web server typically have the following format:
http:// server / path / application ? parameters
The following diagram illustrates how different parts of the URL map to various areas in the web application system:
- The protocol (http or https) is allowed in and out by the firewall.
- The server and path parts are parsed by the front-end web server. Any vulnerabilities present in URL interpretation (e.g. unicode, double-decode) can be exploited by tampering with the server and path of the URL.
- The application is executed by the application server with which it is configured or registered. Tampering with this part may result in exploiting vulnerabilities present with the application server. (e.g. compiling and executing arbitrary files using the JSP servlet handler)
- Parameters supplied to the application, if not properly validated, may result in vulnerabilities specific to that application. (e.g. inserting pipe "|" characters to the open() call in Perl)
- If a parameter is used as a part of an SQL database query, poorly validated parameters may lead to SQL injection attacks. (e.g. execution of arbitrary commands using stored procedures such as "xp_cmdshell")
A detailed discussion can be found in Chapter 5 of "Web Hacking: Attacks and Defense" [1]