363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-
tomers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you may find an assortment
of value-added features such as free e-books related to the topic of this book, URLs
of related Web sites, FAQs from the book, corrections, and any updates from the
author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of exper-
tise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.
DOWNLOADABLE E-BOOKS
For readers who can’t wait for hard copy, we offer most of our titles in download-
able Adobe PDF form. These e-books are often available weeks before hard copies,
and are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers
in corporations, educational institutions, and large organizations. Contact us at
for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at for more information.
Visit us at
363_Web_App_FM.qxd 12/19/06 10:46 AM Page i
363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii
Michael Cross
Web
Application
Security
Developer’s Guide to
363_Web_App_FM.qxd 12/19/06 10:47 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS
IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow the
exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to
you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to
Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this
book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER

001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 7H298MXDRT
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Developer’s Guide to Web Application Security
Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act
of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in
a database or retrieval system, without the prior written permission of the publisher, with the exception that the
program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN-10: 1-59749-061-X
ISBN-13: 978-1-59749-061-0
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Copy Editor: Beth Roberts Indexer: Nara Wood
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at
Syngress Publishing; email or fax to 781-681-3585.

363_Web_App_FM.qxd 12/19/06 10:47 AM Page iv
Acknowledgments
v
Syngress would like to acknowledge the following people for their kindness
and support in making this book possible.
Syngress books are now distributed in the United States and Canada by
O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,
and we would like to thank everyone there for their time and efforts to bring
Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike
Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol
Matsutaro, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge,
Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston
Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark
Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington,
Kerry Beck, Karen Montgomery, and Patrick Dirden.
The incredibly hardworking team at Elsevier Science, including Jonathan
Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,
Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista
Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David
Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,
Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris
Reinders for making certain that our vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, Pang Ai
Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors
for the enthusiasm with which they receive our books.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott,Andrew Swaffer,
Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of
Woodslane for distributing our books throughout Australia, New Zealand,
Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands.
363_Web_App_FM.qxd 12/19/06 10:47 AM Page v

363_Web_App_FM.qxd 12/19/06 10:47 AM Page vi
vii
Lead Author
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet
Specialist/Computer Forensic Analyst with the Niagara Regional
Police Service (NRPS). He performs computer forensic examina-
tions on computers involved in criminal investigation. He also has
consulted and assisted in cases dealing with computer-
related/Internet crimes. In addition to designing and maintaining
the NRPS Web site at www.nrps.com and the NRPS intranet, he
has provided support in the areas of programming, hardware, and
network administration.As part of an information technology team
that provides support to a user base of more than 800 civilian and
uniform users, he has a theory that when the users carry guns, you
tend to be more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which
provides computer-related services such as Web page design, and
Bookworms (www.bookworms.ca), where you can purchase col-
lectibles and other interesting items online. He has been a freelance
writer for several years, and he has been published more than three
dozen times in numerous books and anthologies. He currently
resides in St. Catharines, Ontario, Canada, with his lovely wife,
Jennifer, his darling daughter, Sara, and charming son, Jason.
363_Web_App_FM.qxd 12/19/06 10:47 AM Page vii
viii
Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior
Network Analyst at DevonIT, a leading networking services provider
specializing in network security and VPN solutions. Chris has
worked in the IT industry for over eight years and has a wide range
of technical experience. Chris is Founder and President of Infinite

Solutions Group Inc., a network consulting firm located in
Lansdowne, PA that specializes in network design, integration, secu-
rity services, technical writing, and training. Chris is currently pur-
suing the CCDA and CCNP certifications while mastering the
workings of Cisco and Netscreen VPN and security devices.
Jeff Forristal is the Lead Security Developer for Neohapsis, a
Chicago-based security solution/consulting firm. Apart from
assisting in network security assessments and application security
reviews (including source code review), Jeff is the driving force
behind Security Alert Consensus, a joint security alert newsletter
published on a weekly basis by Neohapsis, Network Computing,
and the SANS Institute.
Drew Simonis (CCNA) is a Security Consultant for Fiderus
Strategic Security and Privacy Services. He is an information-secu-
rity specialist with experience in security guidelines, incident
response, intrusion detection and prevention, and network and
system administration. He has extensive knowledge of TCP/IP data
networking and UNIX (specifically AIX and Solaris), as well as
sound knowledge of routing, switching, and bridging. Drew has been
involved in several large-scale Web development efforts for compa-
nies such as AT&T, IBM, and several of their customers.This has
included both planning and deployment of such efforts as online
banking, automated customer care, and an online adaptive insurability
Contributing Authors
363_Web_App_FM.qxd 12/19/06 10:47 AM Page viii
ix
assessment used by a major viii national insurance company. Drew
helps customers of his current employer with network and applica-
tion security assessments as well as assisting in ongoing development
efforts. Drew is a member of MENSA and holds several industry cer-

tifications, including IBM Certified Specialist, AIX 4.3 System
Administration, AIX 4.3 Communications, Sun Microsystems
Certified Solaris System Administrator, Sun Microsystems Certified
Solaris Network Administrator, Checkpoint Certified Security
Administrator, and Checkpoint Certified Security Engineer. He
resides in Tampa, FL.
Brian Bagnall (Sun Certified Java Programmer and Developer) is
coauthor of the Sun Certified Programmer for Java 2 Study Guide. He is
currently the lead programmer at IdleWorks, a company located in
Western Canada. IdleWorks develops distributed processing solutions
for large and medium-sized businesses with supercomputing needs.
His background includes working for IBM developing client-side
applications. Brian is also a key programmer of Legos, a Java soft-
ware development kit for Lego Mindstorms. Brian would like to
thank his family for their support, and especially his father Herb.
Michael Dinowitz hosts CF-Talk, the high-volume ColdFusion
mailing list, out of House of Fusion.Com. He publishes and writes
articles for the Fusion Authority Weekly News Alert. Michael is the
author of Fusebox: Methodology and Techniques (ColdFusion Edition)
and is the co-author of the bestselling ColdFusion Web Application
Construction Kit. Whether it’s researching the lowest levels of
ColdFusion functionality or presenting to an audience, Michael’s
passion for the language is clear. Outside of Allaire, there are few
evangelists as dedicated to the spread of the language and the
strengthening of the community.
363_Web_App_FM.qxd 12/19/06 10:47 AM Page ix
x
Jay D. Dyson is a Senior Security Consultant for OneSecure Inc.,
a trusted provider of managed digital security services. Jay also serves
as part-time Security Advisor to the National Aeronautics and Space

ix Administration (NASA). His extracurricular activities include
maintaining Treachery.Net and serving as one of the founding staff
members of Attrition.Org.
Joe Dulay (MCSD) is the Vice-President of Technology for the IT
Age Corporation. IT Age Corporation is a project management and
software development firm specializing in customer-oriented busi-
ness enterprise and e-commerce solutions located in Atlanta, GA.
His current responsibilities include managing the IT department,
heading the technology steering committee, software architecture, e-
commerce product management, and refining development pro-
cesses and methodologies.Though most of his responsibilities lay in
the role of manager and architect, he is still an active participant of
the research and development team. Joe holds a bachelor’s degree
from the University of Wisconsin in computer science. His back-
ground includes positions as a Senior Developer at Siemens Energy
and Automation, and as an independent contractor specializing in e-
commerce development. Joe would like to thank his family for
always being there to help him.
Edgar Danielyan (CCNA) is currently self-employed. Edgar has a
diploma in company law from the British Institute of Legal
Executives and is a certified paralegal from the University of
Southern Colorado. He has been working as a Network
Administrator and Manager of a top-level domain of Armenia. He
has also worked for the United Nations, the Ministry of Defense, a
national telco, a bank, and has been a partner in a law firm. He
speaks four languages, likes good tea, and is a member of ACM,
IEEE CS, USENIX, CIPS, ISOC, and IPG.
363_Web_App_FM.qxd 12/19/06 10:47 AM Page x
xi
David G. Scarbrough is a Senior Developer with Education

Networks of America where he is a lead member of the ColdFusion
development team. He specializes in developing e-commerce sites.
David has ColdFusion 4.5 Master Certification and is also experi-
enced with HTML, JavaScript, PHP, Visual Basic,ActiveX, Flash 4.0,
and SQL Server 7. He has also held positions as a Programmer and
Computer Scientist. David graduated from Troy State University on
Montgomery, AL with a bachelor of science in computer science.
He lives in Smyrna,TN.
Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to
joining Cisco he was a Senior Scientist and Founder of the
Wheelgroup Corporation, which was acquired by Cisco Systems in
April of 1998. Prior to starting the Wheelgroup Corporation, he
was Chief of the Advanced Countermeasures Cell at the Air Force
Information Warfare Center.
Robert Hansen is a self-taught computer expert residing in
Northern California. Robert, known formerly as RSnake and cur-
rently as RSenic, has been heavily involved in the hacking and secu-
rity scene since the mid 1990s and continues to work closely with
black and white hats alike. Robert has worked for a major banner
advertising company as an Information Specialist and for several
start-up companies as Chief Operations Officer and Chief Security
Officer. He has founded several security sites and organizations, and
has been interviewed by many magazines, newspapers, and televi-
sions such as Forbes Online, Computer World, CNN, FOX and
ABC News. He sends greets to #hackphreak, #ehap, friends, and
family.
363_Web_App_FM.qxd 12/19/06 10:47 AM Page xi
363_Web_App_FM.qxd 12/19/06 10:47 AM Page xii
xiii
Contents

Chapter 1 Hacking Methodology . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Understanding the Terms . . . . . . . . . . . . . . . . . . . . . . . . .3
A Brief History of Hacking . . . . . . . . . . . . . . . . . . . . . . . . .3
Phone System Hacking . . . . . . . . . . . . . . . . . . . . . . . . . .4
Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
What Motivates a Hacker? . . . . . . . . . . . . . . . . . . . . . . . . . .7
Ethical Hacking versus Malicious Hacking . . . . . . . . . . . .8
Working with Security Professionals . . . . . . . . . . . . . . . .9
Associated Risks with Hiring a Security Professional . .9
Understanding Current Attack Types . . . . . . . . . . . . . . . . . .10
DoS/DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Virus Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
End-User Virus Protection . . . . . . . . . . . . . . . . . . . . . .14
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Rogue Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Stealing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Credit Card Theft . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Theft of Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Information Piracy . . . . . . . . . . . . . . . . . . . . . . . . . .22
Recognizing Web Application Security Threats . . . . . . . . . .23
Hidden Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . .23
Parameter Tampering . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Cookie Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Preventing Break-Ins by Thinking like a Hacker . . . . . . . . . .25
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .32

Chapter 2 How to Avoid Becoming a Code Grinder . . . 35
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
What Is a Code Grinder? . . . . . . . . . . . . . . . . . . . . . . . . . .37
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xiii
xiv Contents
Following the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Thinking Creatively when Coding . . . . . . . . . . . . . . . . . . .41
Use All Available Resources at Your Disposal . . . . . . . . .43
Allowing for Thought . . . . . . . . . . . . . . . . . . . . . . . . . .44
Modular Programming Done Correctly . . . . . . . . . . . . .44
Security from the Perspective of a Code Grinder . . . . . . . . .46
Coding in a Vacuum . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Building Functional and Secure Web Applications . . . . . . . .49
But My Code Is Functional! . . . . . . . . . . . . . . . . . . . . .54
There Is More to an Application than Functionality . . . .55
You Can Make the Difference! . . . . . . . . . . . . . . . . . . .56
Let’s Make It Secure and Functional . . . . . . . . . . . . . . . .58
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .64
Chapter 3 Understanding the Risk
Associated with Mobile Code . . . . . . . . . . . . . . . . . . . . 67
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Recognizing the Impact of Mobile Code Attacks . . . . . . . . .69
Browser Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Mail Client Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Malicious Scripts or Macros . . . . . . . . . . . . . . . . . . . . . .72
Identifying Common Forms of Mobile Code . . . . . . . . . . .72
Macro Languages: Visual Basic for Applications (VBA) . .73
Security Problems with VBA . . . . . . . . . . . . . . . . . .74

The Melissa Virus . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Protecting against VBA Viruses . . . . . . . . . . . . . . . . .80
JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
JavaScript Security Overview . . . . . . . . . . . . . . . . . .84
Security Problems . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Exploiting Plug-In Commands . . . . . . . . . . . . . . . . .86
Web-Based E-Mail Attacks . . . . . . . . . . . . . . . . . . . .87
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . .87
Lowering JavaScript Security Risks . . . . . . . . . . . . . .88
VBScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
VBScript Security Overview . . . . . . . . . . . . . . . . . .89
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xiv
Contents xv
VBScript Security Problems . . . . . . . . . . . . . . . . . . .89
VBScript Security Precautions . . . . . . . . . . . . . . . . .90
Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Granting Additional Access to Applets . . . . . . . . . . . .92
Security Problems with Java . . . . . . . . . . . . . . . . . . .92
Background Threads . . . . . . . . . . . . . . . . . . . . . . . . .92
Contacting the Host Server . . . . . . . . . . . . . . . . . . . .93
Java Security Precautions . . . . . . . . . . . . . . . . . . . . . .93
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
ActiveX Security Overview . . . . . . . . . . . . . . . . . . .94
Security Problems with ActiveX . . . . . . . . . . . . . . . .95
Preinstalled ActiveX Controls . . . . . . . . . . . . . . . . . .96
Buffer Overrun Error . . . . . . . . . . . . . . . . . . . . . . . .97
Intentionally Malicious ActiveX . . . . . . . . . . . . . . . .98
Unsafe for Scripting . . . . . . . . . . . . . . . . . . . . . . . . .98
ActiveX Security Precautions . . . . . . . . . . . . . . . . . .98
Disabling an ActiveX Control . . . . . . . . . . . . . . . . . .98

E-Mail Attachments and Downloaded Executables . . . . .99
Back Orifice 2000 Trojan . . . . . . . . . . . . . . . . . . . . .99
Protecting Your System from Mobile Code Attacks . . . . . . .103
Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . .103
ActiveX Manager . . . . . . . . . . . . . . . . . . . . . . . . . .103
Back Orifice Detectors . . . . . . . . . . . . . . . . . . . . . .104
Firewall Software . . . . . . . . . . . . . . . . . . . . . . . . . .108
Web-Based Tools . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Online Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Client Security Updates . . . . . . . . . . . . . . . . . . . . .109
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .112
Chapter 4 Vulnerable CGI Scripts . . . . . . . . . . . . . . . . 113
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
What Is a CGI Script, and What Does It Do? . . . . . . . . . .114
Typical Uses of CGI Scripts . . . . . . . . . . . . . . . . . . . . .116
When Should You Use CGI? . . . . . . . . . . . . . . . . . . . .121
CGI Script Hosting Issues . . . . . . . . . . . . . . . . . . . . . .122
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xv
xvi Contents
Break-Ins Resulting from Weak CGI Scripts . . . . . . . . . . .123
How to Write “Tighter” CGI Scripts . . . . . . . . . . . . . .124
Searchable Index Commands . . . . . . . . . . . . . . . . . . . .128
CGI Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Nikto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Acquiring and Using Nikto . . . . . . . . . . . . . . . . . .131
Nikto Commands . . . . . . . . . . . . . . . . . . . . . . . . . .133
Web Hack Control Center . . . . . . . . . . . . . . . . . . . . .137
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

Languages for Writing CGI Scripts . . . . . . . . . . . . . . . . . .140
UNIX Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Visual Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Advantages of Using CGI Scripts . . . . . . . . . . . . . . . . . . . .143
Rules for Writing Secure CGI Scripts . . . . . . . . . . . . . . . .143
Storing CGI Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .152
Chapter 5 Hacking Techniques and Tools . . . . . . . . . . 155
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
A Hacker’s Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Minimize the Warning Signs . . . . . . . . . . . . . . . . . . . .158
Maximize the Access . . . . . . . . . . . . . . . . . . . . . . . . . .160
Damage, Damage, Damage . . . . . . . . . . . . . . . . . . . . . .163
Turning the Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
The Five Phases of Hacking . . . . . . . . . . . . . . . . . . . . . . .166
Creating an Attack Map . . . . . . . . . . . . . . . . . . . . . . . .166
Building an Execution Plan . . . . . . . . . . . . . . . . . . . . .170
Establishing a Point of Entry . . . . . . . . . . . . . . . . . . . .171
Continued and Further Access . . . . . . . . . . . . . . . . . . .172
The Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Defacing Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . .178
E-Mail or Messaging Services . . . . . . . . . . . . . . . . . . .179
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xvi
Contents xvii

Telephones and Documents . . . . . . . . . . . . . . . . . . . .180
Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
The Intentional “Back Door” Attack . . . . . . . . . . . . . . . . .183
Hard-Coding a Back Door Password . . . . . . . . . . . . . .184
Exploiting Inherent Weaknesses in Code or Programming
Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
The Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Hex Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Disassemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
PE Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . .190
DJ Java Decompiler . . . . . . . . . . . . . . . . . . . . . . . .190
Hackman Disassembler . . . . . . . . . . . . . . . . . . . . . .191
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .196
Chapter 6 Code Auditing and Reverse Engineering . . 199
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
How to Efficiently Trace through a Program . . . . . . . . . . .200
Auditing and Reviewing Selected Programming Languages 203
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Java Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Active Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Server Side Includes . . . . . . . . . . . . . . . . . . . . . . . . . .204
Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
The Tool Command Language . . . . . . . . . . . . . . . . . . .205
Practical Extraction and Reporting Language . . . . . . . .205
PHP: Hypertext Preprocessor . . . . . . . . . . . . . . . . . . . .205
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
ColdFusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Looking for Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . .206
Getting the Data from the User . . . . . . . . . . . . . . . . . .207
Looking for Buffer Overflows . . . . . . . . . . . . . . . . . . .208
The str* Family of Functions . . . . . . . . . . . . . . . . . . . .209
The strn* Family of Functions . . . . . . . . . . . . . . . . . . .209
The *scanf Family of Functions . . . . . . . . . . . . . . . . . .210
Other Functions Vulnerable to Buffer Overflows . . . . .210
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xvii
xviii Contents
Checking the Output Given to the User . . . . . . . . . . .211
Format String Vulnerabilities . . . . . . . . . . . . . . . . . . . .211
Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Information Disclosure . . . . . . . . . . . . . . . . . . . . . . . .214
Checking for File System Access/Interaction . . . . . . . .215
Checking External Program and Code Execution . . . . .218
Calling External Programs . . . . . . . . . . . . . . . . . . . . . .218
Dynamic Code Execution . . . . . . . . . . . . . . . . . . . . . .219
External Objects/Libraries . . . . . . . . . . . . . . . . . . . . . .220
Checking Structured Query Language (SQL)/Database
Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Checking Networking and Communication Streams . . .223
Pulling It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .226
Chapter 7 Securing Your Java Code. . . . . . . . . . . . . . . 227
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Java Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Java Runtime Environment . . . . . . . . . . . . . . . . . . . . .229
Overview of the Java Security Architecture . . . . . . . . . . . .232

The Java Security Model . . . . . . . . . . . . . . . . . . . . . . .233
The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Security and Java Applets . . . . . . . . . . . . . . . . . . . . .238
How Java Handles Security . . . . . . . . . . . . . . . . . . . . . . . .241
Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
The Applet Class Loader . . . . . . . . . . . . . . . . . . . . .243
Adding Security to a Custom Class Loader . . . . . . .243
Bytecode Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Java Protected Domains . . . . . . . . . . . . . . . . . . . . . . . .250
Java Security Manager . . . . . . . . . . . . . . . . . . . . . . .251
Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
The SecurityManager Class . . . . . . . . . . . . . . . . . . .258
Potential Weaknesses in Java . . . . . . . . . . . . . . . . . . . . . . . .259
DoS Attack/Degradation of Service Attacks . . . . . . . . .260
Third-Party Trojan Horse Attacks . . . . . . . . . . . . . . . . .262
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xviii
Contents xix
Coding Functional but Secure Java Applets . . . . . . . . . . . . .263
Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Generating a Key Pair . . . . . . . . . . . . . . . . . . . . . . .270
Obtaining and Verifying a Signature . . . . . . . . . . . .272
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
X.509 Certificate Format . . . . . . . . . . . . . . . . . . . .275
Obtaining Digital Certificates . . . . . . . . . . . . . . . . .276
Protecting Security with JAR Signing . . . . . . . . . . . . .280
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Sun Microsystems Recommendations for Java Security .287
Privileged Code Guidelines . . . . . . . . . . . . . . . . . . .288
Java Code Guidelines . . . . . . . . . . . . . . . . . . . . . . .288

C Code Guidelines . . . . . . . . . . . . . . . . . . . . . . . . .289
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .293
Chapter 8 Securing XML . . . . . . . . . . . . . . . . . . . . . . . 295
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Defining XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Logical Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Well-Formed Documents . . . . . . . . . . . . . . . . . . . .300
Valid Document . . . . . . . . . . . . . . . . . . . . . . . . . . .300
XML and XSL/DTD Documents . . . . . . . . . . . . . . . .301
XSL Use of Templates . . . . . . . . . . . . . . . . . . . . . . . . .302
XSL Use of Patterns . . . . . . . . . . . . . . . . . . . . . . . . . .302
DTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Creating Web Applications Using XML . . . . . . . . . . . . . . .307
The Risks Associated with Using XML . . . . . . . . . . . . . . .311
Confidentiality Concerns . . . . . . . . . . . . . . . . . . . . . . .312
Securing XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
XML Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
XML Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . .318
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xix
xx Contents
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .323
Chapter 9 Building Safe ActiveX Internet Controls. . . 325
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

Dangers Associated with Using ActiveX . . . . . . . . . . . . . . .326
Avoiding Common ActiveX Vulnerabilities . . . . . . . . . .329
Lessening the Impact of ActiveX Vulnerabilities . . . . . .333
Protection at the Network Level . . . . . . . . . . . . . . .333
Protection at the Client Level . . . . . . . . . . . . . . . . .333
Methodology for Writing Safe ActiveX Controls . . . . . . . .337
Object Safety Settings . . . . . . . . . . . . . . . . . . . . . . . . .337
Securing ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . .338
Control Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Using Microsoft Authenticode . . . . . . . . . . . . . . . . .340
Control Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Using Safety Settings . . . . . . . . . . . . . . . . . . . . . . . .342
Using IobjectSafety . . . . . . . . . . . . . . . . . . . . . . . . .343
Marking the Control in the Windows Registry . . . .346
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .351
Chapter 10 Securing ColdFusion . . . . . . . . . . . . . . . . . 353
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
How Does ColdFusion Work? . . . . . . . . . . . . . . . . . . . . . .355
Using the Benefit of Rapid Development . . . . . . . . . . .356
Understanding ColdFusion Markup Language . . . . . . .358
Scalable Deployment . . . . . . . . . . . . . . . . . . . . . . . . . .360
Preserving ColdFusion Security . . . . . . . . . . . . . . . . . . . . .360
Secure Development . . . . . . . . . . . . . . . . . . . . . . . . . .365
CFINCLUDE . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Relative Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

Turning Off Tags . . . . . . . . . . . . . . . . . . . . . . . . . .375
Secure Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . .375
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xx
Contents xxi
ColdFusion Application Processing . . . . . . . . . . . . . . . . . .376
Checking for Existence of Data . . . . . . . . . . . . . . . . .376
Checking Data Types . . . . . . . . . . . . . . . . . . . . . . . . .378
Data Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Risks Associated with Using ColdFusion . . . . . . . . . . . . . .382
Using Error Handling Programs . . . . . . . . . . . . . . . . . .384
Monitor.cfm Example . . . . . . . . . . . . . . . . . . . . . . .386
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .392
Chapter 11 Developing Security-Enabled Applications 393
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
The Benefits of Using Security-Enabled Applications . . . . .394
Types of Security Used in Applications . . . . . . . . . . . . . . .395
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . .397
Outlook/Outlook Express . . . . . . . . . . . . . . . . . . . . . .400
Secure Multipurpose Internet Mail Extension . . . . . . . .401
Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . .401
Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . .403
Server Authentication . . . . . . . . . . . . . . . . . . . . . . .404
Client Authentication . . . . . . . . . . . . . . . . . . . . . . .405
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Reviewing the Basics of PKI . . . . . . . . . . . . . . . . . . . . . . .410
Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . .415

Using PKI to Secure Web Applications . . . . . . . . . . . . . . .416
Implementing PKI in Your Web Infrastructure . . . . . . . . . .417
Microsoft Certificate Services . . . . . . . . . . . . . . . . . . . .417
PKI for Apache Server . . . . . . . . . . . . . . . . . . . . . . . . .421
Testing Your Security Implementation . . . . . . . . . . . . . . . .422
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .429
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xxi
xxii Contents
Chapter 12 Cradle to Grave:
Working with a Security Plan . . . . . . . . . . . . . . . . . . . 431
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Examining Your Code . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Peer-to-Peer Code Reviews . . . . . . . . . . . . . . . . . . . .435
Being Aware of Code Vulnerabilities . . . . . . . . . . . . . . . . .438
Testing,Testing,Testing . . . . . . . . . . . . . . . . . . . . . . . .439
Using Common Sense when Coding . . . . . . . . . . . . . . . . .442
Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Coding Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Header Comments . . . . . . . . . . . . . . . . . . . . . . . . .443
Variable Declaration Comments . . . . . . . . . . . . . . .444
The Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Rule-Based Analyzers . . . . . . . . . . . . . . . . . . . . . . .444
Debugging and Error Handling . . . . . . . . . . . . . . . .445
Version Control and Source Code Tracking . . . . . . .446
Visual SourceSafe . . . . . . . . . . . . . . . . . . . . . . . . . .446
StarTeam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Creating a Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . .448

Security Planning at the Network Level . . . . . . . . . . . .449
Security Planning at the Application Level . . . . . . . . . .450
Security Planning at the Desktop Level . . . . . . . . . . . .450
Web Application Security Process . . . . . . . . . . . . . . . . .451
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .455
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
363_Web_App_TOC.qxd 12/19/06 11:11 AM Page xxii
Hacking
Methodology
Solutions in this chapter:
■
A Brief History of Hacking
■
What Motivates a Hacker?
■
Understanding Current Attack Types
■
Recognizing Web Application
Security Threats
■
Preventing Break-Ins by
Thinking like a Hacker
Chapter 1
1
 Summary
 Solutions Fast Track
 Frequently Asked Questions
363_Web_App_01.qxd 12/15/06 10:31 AM Page 1