One issue that can skew the outcome of profiling is the placement of intermediate infrastructure in front of the web application. This intermediate infrastructure can include load balancers, virtual server configurations, proxies, and web application firewalls.
Virtual Servers
One other thing to consider is virtual servers. Some web hosting companies attempt to spare hardware costs by running different web servers on multiple virtual IP addresses on the same machine. Be aware that port scan results indicating a large population of live servers at different IP addresses may actually be a single machine with multiple virtual IP addresses.
Load Balancer
A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of. servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications.
Detecting Load Balancer Techniques:
• Timestamp analysis
• ETag and Last-Modified Differences
• Load balancer Cookie's
• Enumerating SSL Anomalies
• Enumating HTML Source Code
• ETag and Last-Modified Differences
• Load balancer Cookie's
• Enumerating SSL Anomalies
• Enumating HTML Source Code
Timestamp analysis
Many servers may not have their times synchronized, you can determine if there are multiple servers by issuing multiple requests within one second.
By doing this, you can analyze the server date headers. And if your requests are deferred to multiple servers, there will likely be variations in the times reported back to you in the headers. You will need to do this multiple times in order to reduce the chances of false positives and to see a true pattern emerge. If you’re lucky, each of the servers will be offsync and you’ll be able to then deduct how many servers are actually being balanced.
ETag and Last-Modified Differences in header
By comparing the ETag and Last-Modified values in the header responses for the same requested resource, you can determine if you’re getting different files from multiple servers. For example, here is the response for index.html multiple times:
ETag: "20095-2de2-3fdf365353cc0"
ETag: "6ac117-2c5e-3eb9ddfaa3a40"
Last-Modified: Sun, 19 Dec 2004 20:
30:25 GMT
Last-Modified: Sun, 19 Dec 2004 20:31:12 GMT
The difference in the Last-Modified timestamps between these responses indicates that the servers did not have immediate replication and that the requested resource was replicated to another server about a minute apart.
Load balancer Cookie's (Google cookies to know origin)
Some proxy servers and load balancers add their own cookie to the HTTP session so they can keep
better state. These are fairly easy to find, so if you see an unusual cookie, you’ll want to conduct a Google search on it to determine its origin.
better state. These are fairly easy to find, so if you see an unusual cookie, you’ll want to conduct a Google search on it to determine its origin.
Enumerating SSL Anomalies
Look for differences in SSL certificates, or whether the SSL certificates each support the same cipher strengths. For example, one of the servers may support only 128-bit encryption, just as it should. But suppose the site administrator forgot to apply that policy to other servers, and they support all ciphers from 96-bit and up. A mistake like this confirms that the web site is being load balanced.
HTML Source Code
HTML source code can also reveal load balancers. For example, multiple requests for the same page might
return different comments in HTML source, as shown next (HTML comments are delineated by the <!-- brackets):
return different comments in HTML source, as shown next (HTML comments are delineated by the <!-- brackets):
<!-- ServerInfo: MPSPPIIS1B093 2001.10.3.13.34.30 Live1 -->
<!-- Version: 2.1 Build 84 -->
<!-- ServerInfo: MPSPPIIS1A096 2001.10.3.13.34.30 Live1 -->
<!-- ServerInfo: MPSPPIIS1A096 2001.10.3.13.34.30 Live1 -->
<!-- Version: 2.1 Build 84 -->
Proxies
In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. Devices like proxies are supposed to be transparent to end users, but they’re great attack points if you can find them. For example : You can use it to access internal Network
Detecting Proxies Techniques :
TRACE Request
By issuing a TRACE request, the proxy server will modify the request and send it to the web server, which will then echo back exactly what request it received. By doing this, we can identify what changes the proxy made to the request.
By issuing a TRACE request, the proxy server will modify the request and send it to the web server, which will then echo back exactly what request it received. By doing this, we can identify what changes the proxy made to the request.
curl -v -X TRACE http://www.yourserver.com
Proxy servers will usually add certain headers, so look for headers like these:
"Via:","X-Forwarded-For:","Proxy-
Connection:"TRACE / HTTP/1.1Host:
www.site.comHTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Tue, 16 Aug 2005 14:27:44 GMT
Content-length: 49
TRACE / HTTP/1.1
Host: www.site.com
Via: 1.1 192.168.1.5
Connection:"TRACE / HTTP/1.1Host:
www.site.comHTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Tue, 16 Aug 2005 14:27:44 GMT
Content-length: 49
TRACE / HTTP/1.1
Host: www.site.com
Via: 1.1 192.168.1.5
Web Application Firewall
Web application firewalls are protective devices that are placed inline between the user and the web server. The app firewall analyzes HTTP traffic to determine if it’s valid traffic and tries to prevent web attacks. You could think of them as Intrusion Prevention Systems (IPS) for the web application.Detecting whether an application firewall is running in front of an application is actually quite easy. If, throughout your testing, you keep getting kicked out, or the session times out when issuing an attack request, an application firewall is likely between you and the application. Another indication would be when the web server does not
respond the way it generally does to unusual requests but instead always returns the same type of error.
Ex : Error 500
400 Bad Request
The server could not understand
your request
400 Bad Request
The server could not understand
your request
Another way to detect firewall is to look at the cookie name in the request and search that cookie name.
It can be done by wafw00f, whatwaf
It can be done by wafw00f, whatwaf
The value of the cookie will, of course, change but the cookie name st8id is the giveaway, and in most cases, the value of the cookie will have the similar character set and length.
No comments:
Post a Comment