Attacks on Web Servers

Attacks on Web Servers: Application Server Vulnerabilities

Application servers like Tomcat, GlassFish, and JBoss are high-value targets due to their widespread use and potential misconfigurations. Below is a detailed guide to common vulnerabilities, their exploitation, log analysis, and defense strategies.

1. Tomcat Application Server

Vulnerability: Directory Traversal via Double URL Encoding

Attack Process:

  1. Default Credentials: Attackers often use default admin credentials (admin:admin) to access the management interface.

  2. Double URL Encoding Bypass:

    • By encoding ../ twice, attackers can bypass restrictions:

      /examples/jsp/%252e%252e/%252e%252e/manager/html

  3. Deploy Webshell:

    • Upload a malicious .war file (test.war) to gain a remote shell.

Log Analysis:

  • Detect access to the admin panel:

    cat /var/log/tomcat/access.log | grep "manager/html" | grep "200"

  • Filter POST requests from the attacker's IP:

    cat /var/log/tomcat/access.log | grep 192.168.68.1 | grep "POST"

  • Analyze network traffic:

    Wireshark filter: ip.src == 192.168.68.1 && http.request.method == POST

Protection:

  • Update Components: Keep Tomcat and mod_jk up-to-date.

  • Secure Admin Panel:

    • Use strong, unique passwords.

    • Restrict admin panel access to trusted IPs.

2. GlassFish Application Server

Vulnerability: CVE-2011-0807 - Remote Code Execution via Default Credentials

Attack Process:

  1. Port Scanning:

    • Use nmap to detect GlassFish:

      nmap -p 4848,8080 <target-ip>

  2. Remote Exploitation:

    • Exploit using Metasploit:

      exploit/unix/webapp/glassfish_deployer

    • This grants remote shell access.

Log Analysis:

  • Detect suspicious connections:

    netstat -an | grep 4444

  • Review logs for repeated GET or POST requests:

    cat /var/log/glassfish/access.log | grep "GET"

Protection:

  • Change Default Credentials: Replace default admin passwords.

  • Upgrade GlassFish: Apply the latest security patches.

3. JBoss Application Server

Vulnerability: Remote Code Execution in JBoss AS (Exploit ID: 36575)

Attack Process:

  1. Exploit Upload:

    • Use a Python script to deploy a webshell:

      POST /jbossass/jbossass.jsp

  2. Execute Commands:

    • Commands like whoami and uname -a provide system info.

Log Analysis:

  • Search for executed commands:

    cat /var/log/jboss/access.log | grep "whoami" | grep "uname -a"

  • Investigate uploaded JSP files:

    find /opt/jboss-6.0.0.Final/ -type f -name "jbossass.jsp"

  • Review the source of suspicious JSP files to confirm malicious content.

Protection:

  • Upgrade JBoss: Move to JBoss EAP 7 or higher.

  • Run Under Limited Privileges: Ensure JBoss runs under non-root accounts.

General Protection Methods

1. Patch and Update Regularly

  • Timely Updates:

    • Apply security patches as soon as they are released.

    • Regularly update both the application server and its underlying OS.

2. Enforce Strong Authentication

  • Admin Accounts:

    • Use strong, unique passwords.

    • Implement Multi-Factor Authentication (MFA) for sensitive panels.

3. Restrict Access

  • Limit Admin Interfaces:

    • Restrict access to /manager/html, /admin-console, etc., via IP whitelisting or firewalls.

    • Example Nginx restriction:

      location /manager/html {
  allow 192.168.1.0/24;
  deny all;
}

4. Monitor Logs and Traffic

  • Real-Time Monitoring:

    • Use a SIEM system or centralized logging (e.g., ELK Stack, Graylog) to aggregate and analyze logs.

  • Alert on Suspicious Patterns:

    • Unusual file uploads, POST requests, or directory traversal attempts should trigger alerts.

5. Deploy Web Application Firewalls (WAFs)

  • Prevent Malicious Inputs:

    • Deploy WAFs to block SQL injection, directory traversal, and command injection attacks.

    • Tools like ModSecurity can be integrated with Apache/Nginx for additional security.

Key Points

Securing application servers like Tomcat, GlassFish, and JBoss requires a proactive approach to vulnerability management. By regularly updating software, monitoring logs, and restricting access, organizations can significantly reduce the attack surface. Detecting attacks early through detailed log analysis and traffic inspection ensures that incidents are swiftly contained and mitigated.

PreviousLog Analysis on Web ServersNextAttacks Against Web Applications

Last updated