w3 Hack FAQ

09-1. How do I secure things? Read the WWW-Security FAQ. Users- As a browser user, wipe your cache and history before accessing suspicious and/or unknown sites. Wipe your cache after each session and use a proxy like http://www.anonymizer.com/. Don't bookmark sites that you wouldn't want people to know you visit. Web pages can be configured not to be cached by their authors. After visiting a site that requires a password, check your cache to be sure it is not sitting there for anyone to grab. Turn off Java if you don't trust it. Don't load an applet unless you are sure it's ok. Admins- Do not run httpd...

These questions (reworded and spell checked) are lame, but give you admins out there a bit of a flavor of the mentality of "intruders" that write to me. Four people asked all three of these questions in the same email.... 08-1. How can I falsely increase the hits on my counter? This one is a sore spot with me, as I have no understanding as to the importance of a web counter. If you are a site trying to gain advertisers, well, you would obviously forge this number (make it very high) and even forge your logs to show thousands and thousands of entries to a perspective sucker^h^h^h^h^h^h client. There. I feel better. Now, how do you increase...

07-1. What is CGI? CGI stands for Common Gateway Interface. It is a way for users to submit requests and have the server perform some function, typically a function that is native to the operating system, to either send a more "dynamic" response to the user, or to gather information about the user. For example, the user fills out a survey form and mails it in, or requests information on a part number and the server looks up the price from a database before sending the user the HTML page. 07-2. Are there default vulnerabilities? Yes and no. There are "default" vulnerabilities that exist in several example files, as mentioned in Section 02...

06-1. What are some good search engines? The best search engine in my opinion is the AltaVista site, located at http://www.altavista.digital.com. This site is mainly a promotional search engine to sell copies of the AltaVista search engine to Intranets. It is the most popular search site of hackers the world over. Others include search.com and Yahoo. 06-2. What "vulnerable" files can I find? AltaVista got rid of these, but you USED to be able to search on keywords like "root:" and "0:0", allowing you to collect password files from misconfigured web servers. You can still do searches with keywords like this to turn up interesting ...

05-1. What is a JavaScript Applet? JavaScript is Netscape's way of allowing a server to send code via HTML directly to your browser. Since Java is built into Netscape, JavaScript "applets" can be constructed by simply including the text inside the HTML document. When someone accesses your page -- bingo! -- the code then uses Java and performs some function. They can work on 16-bit and 32-bit versions of a Web browser that supports Java, e.g. Netscape. Also, if you have a Java compiler you can compile an applet and have the appropriate code in the HTML document and load it up to the browser. This approach is even better as you can use...

04-1. What are some known vulnerabilities with Microsoft Internet Information Server? There are a few, and they are deadly. If a site is running Microsoft Internet Information Server v1.0, the default installation leaves the server wide open. The example hack illustrated here assumes that the CGI directory is /scripts, there are no files called pfieffer.bat or pfieffer.cmd in the scripts directory, and the web server links .bat and .cmd files to cmd.exe. Just point your browser this way: http://www.target.com/scripts/pfieffer.bat?&dir+c:\+?&time or http://www.target.com/scripts/pfieffer.cmd?&am...

Note - some of this material does pertain to other platforms, but I am mainly refering to Unix-based Web servers. 03-1. What are the big "weak spots" on servers? The big weak spots are as follows: Server running HTTPD as root. This means that anytime a user attaches to the web server they are running as root. Very powerful if there are any holes at all. This means that if your browser can find a way in, you can gain access to anything on the system. Improper checking and buffering of user data by CGI scripts. Either a buffer can be overrun or arbitrary commands can be sent to the server. Improper configuration of the server itself or the ...

02-1. What is phf? The phf file is an example CGI script that is used to update a phonebook style listing of people. By default a lot of sites have this file sitting in /cgi-bin/ and don't even know it. You know, they installed everything to default. However the phf file behaves "differently" if thrown a newline (0a) character. Here's the common attack for a Unix server - http://thegnome.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Or better yet, a series of commands - http://thegnome.com/cgi-bin/phf?%0aid&Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffic...

01-1. What is "unsafe" about my browser? There are two main areas regarding security around a browser -- reading your private files and manipulating you into a compromising situation. A few files provide a lot of information about yourself. These include cache files, the history file, and your bookmarks. By examining someone's cache, history, and bookmarks you can learn a lot about a person. Usually if you are a typical home user running Windows, this is not a problem. But if you are storing your Netscape directory on a server, the server could be compromised and then anything in cache and history is in the hands of someone else. Eve...

00-1. What is this "FAQ" for? This FAQ contains information about hacking via the World Wide Web. I compiled the Netware Hack FAQ, and decided to compile a Web Hack FAQ after discovering how many issues are involved with the web and security. I plan on showing the what and how regarding web hacking, and by illustrating this in explicit detail show how sys admins can improve security and prevent break-ins. Most of the information in this FAQ was compiled and collected from various sources freely available on the Internet. Furthermore, I've used the NMRC lab and "field research" ;-) to test the ideas here. I expect this FAQ to be more ...