Stuttard flast.indd V2 - 08/10/2011 Page xxii

flast.indd xxii

8/19/2011 12:23:07 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page i

The Web Application
Hacker’s Handbook
Second Edition

Finding and Exploiting Security Flaws

Dafydd Stuttard
Marcus Pinto

ffirs.indd i

8/19/2011 12:22:33 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page ii

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, Second Edition
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256

www.wiley.com
Copyright © 2011 by Dafydd Stuttard and Marcus Pinto
Published by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-02647-2
ISBN: 978-1-118-17522-4 (ebk)
ISBN: 978-1-118-17524-8 (ebk)
ISBN: 978-1-118-17523-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the
Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111
River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at ey.
com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all
warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be
created or extended by sales or promotional materials. The advice and strategies contained herein may not
be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is required, the services
of a competent professional person should be sought. Neither the publisher nor the author shall be liable for
damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation
and/or a potential source of further information does not mean that the author or the publisher endorses
the information the organization or website may provide or recommendations it may make. Further, readers
should be aware that Internet websites listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department

within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all content
that is available in standard print versions of this book may appear or be packaged in all book formats. If
you have purchased a version of this book that did not include media that is referenced by or accompanies
a standard print version, you may request this media by visiting ey.
com. For more information about Wiley products, visit us at www.wiley.com.
Library of Congress Control Number: 2011934639
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission.
All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated
with any product or vendor mentioned in this book.

ffirs.indd ii

8/19/2011 12:22:37 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page iii

About the Authors

Dafydd Stuttard is an independent security consultant, author, and software
developer. With more than 10 years of experience in security consulting, he
specializes in the penetration testing of web applications and compiled software. Dafydd has worked with numerous banks, retailers, and other enterprises
to help secure their web applications. He also has provided security consulting to
several software manufacturers and governments to help secure their compiled
software. Dafydd is an accomplished programmer in several languages. His
interests include developing tools to facilitate all kinds of software security
testing. Under the alias “PortSwigger,” Dafydd created the popular Burp Suite
of web application hacking tools; he continues to work actively on Burp’s development. Dafydd is also cofounder of MDSec, a company providing training and

consultancy on Internet security attack and defense. Dafydd has developed and
presented training courses at various security conferences around the world,
and he regularly delivers training to companies and governments. He holds
master’s and doctorate degrees in philosophy from the University of Oxford.
Marcus Pinto is cofounder of MDSec, developing and delivering training
courses in web application security. He also performs ongoing security consultancy for financial, government, telecom, and retail verticals. His 11 years
of experience in the industry have been dominated by the technical aspects of
application security, from the dual perspectives of a consulting and end-user
implementation role. Marcus has a background in attack-based security assessment and penetration testing. He has worked extensively with large-scale web
application deployments in the financial services industry. Marcus has been
developing and presenting database and web application training courses since
2005 at Black Hat and other worldwide security conferences, and for privatesector and government clients. He holds a master’s degree in physics from the
University of Cambridge.
iii

ffirs.indd iii

8/19/2011 12:22:37 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page iv

About the Technical Editor

Dr. Josh Pauli received his Ph.D. in Software Engineering from North Dakota
State University (NDSU) with an emphasis in secure requirements engineering
and now serves as an Associate Professor of Information Security at Dakota
State University (DSU). Dr. Pauli has published nearly 20 international journal and conference papers related to software security and his work includes
invited presentations from the Department of Homeland Security and Black
Hat Briefings. He teaches both undergraduate and graduate courses in system

software security and web software security at DSU. Dr. Pauli also conducts web
application penetration tests as a Senior Penetration Tester for an Information
Security consulting firm where his duties include developing hands-on technical workshops in the area of web software security for IT professionals in the
financial sector.

iv

ffirs.indd iv

8/19/2011 12:22:37 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page v

MDSec: The Authors’ Company

Dafydd and Marcus are cofounders of MDSec, a company that provides training
in attack and defense-based security, along with other consultancy services. If
while reading this book you would like to put the concepts into practice, and
gain hands-on experience in the areas covered, you are encouraged to visit our
website, . This will give you access to hundreds of interactive
vulnerability labs and other resources that are referenced throughout the book.

v

ffirs.indd v

8/19/2011 12:22:37 PM



Stuttard ffirs.indd V4 - 08/17/2011 Page vi

Credits
Executive Editor
Carol Long
Senior Project Editor
Adaobi Obi Tulton
Technical Editor
Josh Pauli
Production Editor
Kathleen Wisor
Copy Editor
Gayle Johnson
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Associate Director of
Marketing
David Mayhew
Marketing Manager
Ashley Zurcher
Business Manager
Amy Knies
Production Manager
Tim Tate
Vice President and Executive
Group Publisher
Richard Swadley


Vice President and Executive
Publisher
Neil Edde
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreaders
Sarah Kaikini, Word One
Sheilah Ledwidge, Word One
Indexer
Robert Swanson
Cover Designer
Ryan Sneed
Cover Image
Wiley InHouse Design
Vertical Websites Project Manager
Laura Moss-Hollister
Vertical Websites Assistant Project
Manager
Jenny Swisher
Vertical Websites Associate
Producers
Josh Frank
Shawn Patrick
Doug Kuhn
Marilyn Hummel

vi


ffirs.indd vi

8/19/2011 12:22:37 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page vii

Acknowledgments

We are indebted to the directors and others at Next Generation Security Software,
who provided the right environment for us to realize the first edition of this
book. Since then, our input has come from an increasingly wider community
of researchers and professionals who have shared their ideas and contributed
to the collective understanding of web application security issues that exists
today. Because this is a practical handbook rather than a work of scholarship,
we have deliberately avoided filling it with a thousand citations of influential
articles, books, and blog postings that spawned the ideas involved. We hope
that people whose work we discuss anonymously are content with the general
credit given here.
We are grateful to the people at Wiley — in particular, to Carol Long for
enthusiastically supporting our project from the outset, to Adaobi Obi Tulton
for helping polish our manuscript and coaching us in the quirks of “American
English,” to Gayle Johnson for her very helpful and attentive copy editing, and
to Katie Wisor’s team for delivering a first-rate production.
A large measure of thanks is due to our respective partners, Becky and Amanda,
for tolerating the significant distraction and time involved in producing a book
of this size.
Both authors are indebted to the people who led us into our unusual line
of work. Dafydd would like to thank Martin Law. Martin is a great guy who
first taught me how to hack and encouraged me to spend my time developing

techniques and tools for attacking applications. Marcus would like to thank his
parents for everything they have done and continue to do, including getting me
into computers. I’ve been getting into computers ever since.

vii

ffirs.indd vii

8/19/2011 12:22:37 PM


Stuttard ffirs.indd V4 - 08/17/2011 Page viii

Contents at a Glance

Introduction

xxiii

Chapter 1

Web Application (In)security

1

Chapter 2

Core Defense Mechanisms

17


Chapter 3

Web Application Technologies

39

Chapter 4

Mapping the Application

73

Chapter 5

Bypassing Client-Side Controls

117

Chapter 6

Attacking Authentication

159

Chapter 7

Attacking Session Management

205


Chapter 8

Attacking Access Controls

257

Chapter 9

Attacking Data Stores

287

Chapter 10 Attacking Back-End Components

357

Chapter 11 Attacking Application Logic

405

Chapter 12 Attacking Users: Cross-Site Scripting

431

Chapter 13 Attacking Users: Other Techniques

501

Chapter 14 Automating Customized Attacks


571

Chapter 15 Exploiting Information Disclosure

615

Chapter 16 Attacking Native Compiled Applications

633

Chapter 17 Attacking Application Architecture

647

Chapter 18 Attacking the Application Server

669

Chapter 19 Finding Vulnerabilities in Source Code

701

Chapter 20 A Web Application Hacker’s Toolkit

747

Chapter 21 A Web Application Hacker’s Methodology

791


Index

853

viii

ffirs.indd viii

8/19/2011 12:22:38 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page ix

Contents

Introduction
Chapter 1

xxiii
Web Application (In)security
The Evolution of Web Applications
Common Web Application Functions
Benefits of Web Applications

Web Application Security
“This Site Is Secure”
The Core Security Problem: Users Can Submit
Arbitrary Input
Key Problem Factors

The New Security Perimeter
The Future of Web Application Security

Chapter 2

1
2
4
5

6
7
9
10
12
14

Summary

15

Core Defense Mechanisms
Handling User Access

17
18

Authentication
Session Management
Access Control


Handling User Input
Varieties of Input
Approaches to Input Handling
Boundary Validation
Multistep Validation and Canonicalization

Handling Attackers
Handling Errors
Maintaining Audit Logs
Alerting Administrators
Reacting to Attacks

18
19
20

21
21
23
25
28

30
30
31
33
34

ix


ftoc.indd ix

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page x

x

Contents

Chapter 3

Managing the Application
Summary
Questions

35
36
36

Web Application Technologies
The HTTP Protocol

39
39

HTTP Requests
HTTP Responses

HTTP Methods
URLs
REST
HTTP Headers
Cookies
Status Codes
HTTPS
HTTP Proxies
HTTP Authentication

Web Functionality
Server-Side Functionality
Client-Side Functionality
State and Sessions

Encoding Schemes
URL Encoding
Unicode Encoding
HTML Encoding
Base64 Encoding
Hex Encoding
Remoting and Serialization
Frameworks

Chapter 4

51
51
57
66


66
67
67
68
69
69
70

Next Steps
Questions

70
71

Mapping the Application
Enumerating Content and Functionality

73
74

Web Spidering
User-Directed Spidering
Discovering Hidden Content
Application Pages Versus
Functional Paths
Discovering Hidden Parameters

Analyzing the Application
Identifying Entry Points for User Input

Identifying Server-Side Technologies
Identifying Server-Side Functionality
Mapping the Attack Surface

Summary
Questions

ftoc.indd x

40
41
42
44
44
45
47
48
49
49
50

74
77
80
93
96

97
98
101

107
111

114
114

8/19/2011 12:23:35 PM


x

Stuttard ftoc.indd V2 - 08/10/2011 Page xi

Contents
Chapter 5

Bypassing Client-Side Controls
Transmitting Data Via the Client
Hidden Form Fields
HTTP Cookies
URL Parameters
The Referer Header
Opaque Data
The ASP.NET ViewState

Capturing User Data: HTML Forms
Length Limits
Script-Based Validation
Disabled Elements


Capturing User Data: Browser Extensions
Common Browser Extension Technologies
Approaches to Browser Extensions
Intercepting Traffic from Browser Extensions
Decompiling Browser Extensions
Attaching a Debugger
Native Client Components

Handling Client-Side Data Securely
Transmitting Data Via the Client
Validating Client-Generated Data
Logging and Alerting

Chapter 6

ftoc.indd xi

117
118
118
121
121
122
123
124

127
128
129
131


133
134
135
135
139
151
153

154
154
155
156

Summary
Questions

156
157

Attacking Authentication
Authentication Technologies
Design Flaws in Authentication
Mechanisms

159
160
161

Bad Passwords

Brute-Forcible Login
Verbose Failure Messages
Vulnerable Transmission of Credentials
Password Change Functionality
Forgotten Password Functionality
“Remember Me” Functionality
User Impersonation Functionality
Incomplete Validation of Credentials
Nonunique Usernames
Predictable Usernames
Predictable Initial Passwords
Insecure Distribution of Credentials

161
162
166
169
171
173
176
178
180
181
182
183
184

Implementation Flaws in Authentication

185


Fail-Open Login Mechanisms
Defects in Multistage Login Mechanisms
Insecure Storage of Credentials

xi

185
186
190

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page xii

xii

Contents
Securing Authentication
Use Strong Credentials
Handle Credentials Secretively
Validate Credentials Properly
Prevent Information Leakage
Prevent Brute-Force Attacks
Prevent Misuse of the Password Change Function
Prevent Misuse of the Account Recovery Function
Log, Monitor, and Notify

Chapter 7


201
202

Attacking Session Management
The Need for State

205
206

Alternatives to Sessions
Meaningful Tokens
Predictable Tokens
Encrypted Tokens

Weaknesses in Session Token Handling
Disclosure of Tokens on the Network
Disclosure of Tokens in Logs
Vulnerable Mapping of Tokens to Sessions
Vulnerable Session Termination
Client Exposure to Token Hijacking
Liberal Cookie Scope

Securing Session Management
Generate Strong Tokens
Protect Tokens Throughout Their Life Cycle
Log, Monitor, and Alert

208


210
210
213
223

233
234
237
240
241
243
244

248
248
250
253

Summary
Questions

254
255

Attacking Access Controls
Common Vulnerabilities

257
258


Completely Unprotected Functionality
Identifier-Based Functions
Multistage Functions
Static Files
Platform Misconfiguration
Insecure Access Control Methods

Attacking Access Controls
Testing with Different User Accounts
Testing Multistage Processes
Testing with Limited Access
Testing Direct Access to Methods
Testing Controls Over Static Resources

ftoc.indd xii

192
192
193
195
196
199
199
201

Summary
Questions

Weaknesses in Token Generation


Chapter 8

191

259
261
262
263
264
265

266
267
271
273
276
277

8/19/2011 12:23:35 PM


xii

Stuttard ftoc.indd V2 - 08/10/2011 Page xiii

Contents
Testing Restrictions on HTTP Methods

Securing Access Controls
A Multilayered Privilege Model


Chapter 9

280

284
284

Attacking Data Stores
Injecting into Interpreted Contexts

287
288

Bypassing a Login
Exploiting a Basic Vulnerability
Injecting into Different Statement Types
Finding SQL Injection Bugs
Fingerprinting the Database
The UNION Operator
Extracting Useful Data
Extracting Data with UNION
Bypassing Filters
Second-Order SQL Injection
Advanced Exploitation
Beyond SQL Injection: Escalating the
Database Attack
Using SQL Exploitation Tools
SQL Syntax and Error Reference
Preventing SQL Injection


Injecting into NoSQL
Injecting into MongoDB

Injecting into XPath
Subverting Application Logic
Informed XPath Injection
Blind XPath Injection
Finding XPath Injection Flaws
Preventing XPath Injection

Injecting into LDAP
Exploiting LDAP Injection
Finding LDAP Injection Flaws
Preventing LDAP Injection

Summary
Questions
Chapter 10 Attacking Back-End Components
Injecting OS Commands
Example 1: Injecting Via Perl
Example 2: Injecting Via ASP
Injecting Through Dynamic Execution
Finding OS Command Injection Flaws
Finding Dynamic Execution Vulnerabilities

ftoc.indd xiii

278


278

Summary
Questions

Injecting into SQL

xiii

288

291
292
294
298
303
304
308
308
311
313
314
325
328
332
338

342
343


344
345
346
347
348
349

349
351
353
354

354
354
357
358
358
360
362
363
366

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page xiv

xiv

Contents

Preventing OS Command Injection
Preventing Script Injection Vulnerabilities

Manipulating File Paths

368

Path Traversal Vulnerabilities
File Inclusion Vulnerabilities

368
381

Injecting into XML Interpreters

383

Injecting XML External Entities
Injecting into SOAP Services
Finding and Exploiting SOAP Injection
Preventing SOAP Injection

Injecting into Back-end HTTP Requests
Server-side HTTP Redirection
HTTP Parameter Injection

Injecting into Mail Services
E-mail Header Manipulation
SMTP Command Injection
Finding SMTP Injection Flaws

Preventing SMTP Injection

Summary
Questions
Chapter 11 Attacking Application Logic
The Nature of Logic Flaws
Real-World Logic Flaws
Example 1: Asking the Oracle
Example 2: Fooling a Password Change Function
Example 3: Proceeding to Checkout
Example 4: Rolling Your Own Insurance
Example 5: Breaking the Bank
Example 6: Beating a Business Limit
Example 7: Cheating on Bulk Discounts
Example 8: Escaping from Escaping
Example 9: Invalidating Input Validation
Example 10: Abusing a Search Function
Example 11: Snarfing Debug Messages
Example 12: Racing Against the Login

Avoiding Logic Flaws
Summary
Questions
Chapter 12 Attacking Users: Cross-Site Scripting
Varieties of XSS
Reflected XSS Vulnerabilities
Stored XSS Vulnerabilities
DOM-Based XSS Vulnerabilities

XSS Attacks in Action

Real-World XSS Attacks

ftoc.indd xiv

367
368

384
386
389
390

390
390
393

397
398
399
400
402

402
403
405
406
406
407
409
410

412
414
416
418
419
420
422
424
426

428
429
430
431
433
434
438
440

442
442

8/19/2011 12:23:35 PM


iv

Stuttard ftoc.indd V2 - 08/10/2011 Page xv

Contents

Payloads for XSS Attacks
Delivery Mechanisms for XSS Attacks

Finding and Exploiting XSS Vulnerabilities
Finding and Exploiting Reflected XSS Vulnerabilities
Finding and Exploiting Stored XSS Vulnerabilities
Finding and Exploiting DOM-Based XSS Vulnerabilities

Preventing XSS Attacks
Preventing Reflected and Stored XSS
Preventing DOM-Based XSS

Summary
Questions
Chapter 13 Attacking Users: Other Techniques
Inducing User Actions
Request Forgery
UI Redress

Capturing Data Cross-Domain
Capturing Data by Injecting HTML
Capturing Data by Injecting CSS
JavaScript Hijacking

The Same-Origin Policy Revisited
The Same-Origin Policy and Browser Extensions
The Same-Origin Policy and HTML5
Crossing Domains with Proxy Service Applications

Other Client-Side Injection Attacks

HTTP Header Injection
Cookie Injection
Open Redirection Vulnerabilities
Client-Side SQL Injection
Client-Side HTTP Parameter Pollution

Local Privacy Attacks
Persistent Cookies
Cached Web Content
Browsing History
Autocomplete
Flash Local Shared Objects
Silverlight Isolated Storage
Internet Explorer userData
HTML5 Local Storage Mechanisms
Preventing Local Privacy Attacks

Attacking ActiveX Controls
Finding ActiveX Vulnerabilities
Preventing ActiveX Vulnerabilities

Attacking the Browser
Logging Keystrokes
Stealing Browser History and Search Queries

ftoc.indd xv

xv

443

447

451
452
481
487

492
492
496

498
498
501
501
502
511

515
516
517
519

524
525
528
529

531
531

536
540
547
548

550
550
551
552
552
553
553
554
554
554

555
556
558

559
560
560

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page xvi

xvi


Contents
Enumerating Currently Used Applications
Port Scanning
Attacking Other Network Hosts
Exploiting Non-HTTP Services
Exploiting Browser Bugs
DNS Rebinding
Browser Exploitation Frameworks
Man-in-the-Middle Attacks

Summary
Questions
Chapter 14 Automating Customized Attacks
Uses for Customized Automation
Enumerating Valid Identifiers
The Basic Approach
Detecting Hits
Scripting the Attack
JAttack

Harvesting Useful Data
Fuzzing for Common Vulnerabilities
Putting It All Together: Burp Intruder
Barriers to Automation
Session-Handling Mechanisms
CAPTCHA Controls

Summary
Questions

Chapter 15 Exploiting Information Disclosure
Exploiting Error Messages
Script Error Messages
Stack Traces
Informative Debug Messages
Server and Database Messages
Using Public Information
Engineering Informative Error Messages

Gathering Published Information
Using Inference
Preventing Information Leakage
Use Generic Error Messages
Protect Sensitive Information
Minimize Client-Side Information Leakage

Summary
Questions
Chapter 16 Attacking Native Compiled Applications
Buffer Overflow Vulnerabilities
Stack Overflows
Heap Overflows

ftoc.indd xvi

560
561
561
562
563

563
564
566

568
568
571
572
573
574
574
576
577

583
586
590
602
602
610

613
613
615
615
616
617
618
619
623

624

625
626
627
628
628
629

629
630
633
634
634
635

8/19/2011 12:23:35 PM


vi

Stuttard ftoc.indd V2 - 08/10/2011 Page xvii

Contents
“Off-by-One” Vulnerabilities
Detecting Buffer Overflow Vulnerabilities

Integer Vulnerabilities
Integer Overflows
Signedness Errors

Detecting Integer Vulnerabilities

Format String Vulnerabilities
Detecting Format String Vulnerabilities

Summary
Questions
Chapter 17 Attacking Application Architecture
Tiered Architectures
Attacking Tiered Architectures
Securing Tiered Architectures

Shared Hosting and Application Service Providers
Virtual Hosting
Shared Application Services
Attacking Shared Environments
Securing Shared Environments

Summary
Questions
Chapter 18 Attacking the Application Server
Vulnerable Server Configuration
Default Credentials
Default Content
Directory Listings
WebDAV Methods
The Application Server as a Proxy
Misconfigured Virtual Hosting
Securing Web Server Configuration


Vulnerable Server Software
Application Framework Flaws
Memory Management Vulnerabilities
Encoding and Canonicalization
Finding Web Server Flaws
Securing Web Server Software

640
640
641
642

643
644

645
645
647
647
648
654

656
657
657
658
665

667
667

669
670
670
671
677
679
682
683
684

684
685
687
689
694
695

697
699
699

Chapter 19 Finding Vulnerabilities in Source Code
Approaches to Code Review

701
702

Signatures of Common Vulnerabilities
Cross-Site Scripting


ftoc.indd xvii

636
639

Web Application Firewalls
Summary
Questions

Black-Box Versus White-Box Testing
Code Review Methodology

xvii

702
703

704
704

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page xviii

xviii

Contents
SQL Injection
Path Traversal

Arbitrary Redirection
OS Command Injection
Backdoor Passwords
Native Software Bugs
Source Code Comments

The Java Platform
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the Java Environment

ASP.NET
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the ASP.NET Environment

PHP
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the PHP Environment

Perl
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the Perl Environment


JavaScript
Database Code Components
SQL Injection
Calls to Dangerous Functions

711
711
712
713
716

718
718
719
720
723

724
724
727
727
732

735
735
736
736
739

740

741
741
742

Tools for Code Browsing
Summary
Questions

743
744
744

Chapter 20 A Web Application Hacker’s Toolkit
Web Browsers

747
748

Internet Explorer
Firefox
Chrome

Integrated Testing Suites
How the Tools Work
Testing Work Flow
Alternatives to the Intercepting Proxy

Standalone Vulnerability Scanners
Vulnerabilities Detected by Scanners
Inherent Limitations of Scanners


ftoc.indd xviii

705
706
707
708
708
709
710

748
749
750

751
751
769
771

773
774
776

8/19/2011 12:23:35 PM


iii

Stuttard ftoc.indd V2 - 08/10/2011 Page xix


Contents
Technical Challenges Faced by Scanners
Current Products
Using a Vulnerability Scanner

Other Tools
Wikto/Nikto
Firebug
Hydra
Custom Scripts

Summary
Chapter 21 A Web Application Hacker’s Methodology
General Guidelines
1 Map the Application’s Content
1.1
1.2
1.3
1.4
1.5
1.6

Explore Visible Content
Consult Public Resources
Discover Hidden Content
Discover Default Content
Enumerate Identifier-Specified Functions
Test for Debug Parameters


2 Analyze the Application
2.1
2.2
2.3
2.4

Identify Functionality
Identify Data Entry Points
Identify the Technologies Used
Map the Attack Surface

3 Test Client-Side Controls
3.1 Test Transmission of Data Via the Client
3.2 Test Client-Side Controls Over User Input
3.3 Test Browser Extension Components

4 Test the Authentication Mechanism
4.1 Understand the Mechanism
4.2 Test Password Quality
4.3 Test for Username Enumeration
4.4 Test Resilience to Password Guessing
4.5 Test Any Account Recovery Function
4.6 Test Any Remember Me Function
4.7 Test Any Impersonation Function
4.8 Test Username Uniqueness
4.9 Test Predictability of Autogenerated Credentials
4.10 Check for Unsafe Transmission of Credentials
4.11 Check for Unsafe Distribution of Credentials
4.12 Test for Insecure Storage
4.13 Test for Logic Flaws

4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access

5 Test the Session Management Mechanism
5.1 Understand the Mechanism
5.2 Test Tokens for Meaning
5.3 Test Tokens for Predictability

ftoc.indd xix

xix

778
781
783

785
785
785
785
786

789
791
793
795
795
796
796
797
797

798

798
798
799
799
800

800
801
801
802

805
805
806
806
807
807
808
808
809
809
810
810
811
811
813

814

814
815
816

8/19/2011 12:23:35 PM


Stuttard ftoc.indd V2 - 08/10/2011 Page xx

xx

Contents
5.4 Check for Insecure Transmission of Tokens
5.5 Check for Disclosure of Tokens in Logs
5.6 Check Mapping of Tokens to Sessions
5.7 Test Session Termination
5.8 Check for Session Fixation
5.9 Check for CSRF
5.10 Check Cookie Scope

6 Test Access Controls
6.1
6.2
6.3
6.4

Understand the Access Control Requirements
Test with Multiple Accounts
Test with Limited Access
Test for Insecure Access Control Methods


7 Test for Input-Based Vulnerabilities
7.1
7.2
7.3
7.4
7.5
7.6
7.7

Fuzz All Request Parameters
Test for SQL Injection
Test for XSS and Other Response Injection
Test for OS Command Injection
Test for Path Traversal
Test for Script Injection
Test for File Inclusion

8 Test for Function-Specific Input Vulnerabilities
8.1
8.2
8.3
8.4
8.5
8.6
8.7

Test for SMTP Injection
Test for Native Software Vulnerabilities
Test for SOAP Injection

Test for LDAP Injection
Test for XPath Injection
Test for Back-End Request Injection
Test for XXE Injection

9 Test for Logic Flaws
9.1
9.2
9.3
9.4
9.5

Identify the Key Attack Surface
Test Multistage Processes
Test Handling of Incomplete Input
Test Trust Boundaries
Test Transaction Logic

10 Test for Shared Hosting Vulnerabilities
10.1 Test Segregation in Shared Infrastructures
10.2 Test Segregation Between ASP-Hosted Applications

11 Test for Application Server Vulnerabilities
11.1
11.2
11.3
11.4
11.5
11.6
11.7


ftoc.indd xx

Test for Default Credentials
Test for Default Content
Test for Dangerous HTTP Methods
Test for Proxy Functionality
Test for Virtual Hosting Misconfiguration
Test for Web Server Software Bugs
Test for Web Application Firewalling

817
817
818
818
819
820
820

821
821
822
822
823

824
824
827
829
832

833
835
835

836
836
837
839
839
840
841
841

842
842
842
843
844
844

845
845
845

846
846
847
847
847
847

848
848

8/19/2011 12:23:36 PM


xx

Stuttard ftoc.indd V2 - 08/10/2011 Page xxi

Contents
12 Miscellaneous Checks
12.1
12.2
12.3
12.4

Check for DOM-Based Attacks
Check for Local Privacy Vulnerabilities
Check for Weak SSL Ciphers
Check Same-Origin Policy Configuration

13 Follow Up Any Information Leakage
Index

ftoc.indd xxi

xxi

849

849
850
851
851

852
853

8/19/2011 12:23:36 PM


Stuttard flast.indd V2 - 08/10/2011 Page xxii

flast.indd xxii

8/19/2011 12:23:07 PM


Stuttard flast.indd V2 - 08/10/2011 Page xxiii

Introduction

This book is a practical guide to discovering and exploiting security flaws in
web applications. By “web applications” we mean those that are accessed using
a web browser to communicate with a web server. We examine a wide variety
of different technologies, such as databases, file systems, and web services, but
only in the context in which these are employed by web applications.
If you want to learn how to run port scans, attack firewalls, or break into servers in other ways, we suggest you look elsewhere. But if you want to know how
to hack into a web application, steal sensitive data, and perform unauthorized
actions, this is the book for you. There is enough that is interesting and fun to

say on that subject without straying into any other territory.

Overview of This Book
The focus of this book is highly practical. Although we include sufficient background and theory for you to understand the vulnerabilities that web applications
contain, our primary concern is the tasks and techniques that you need to master
to break into them. Throughout the book, we spell out the specific steps you need
to follow to detect each type of vulnerability, and how to exploit it to perform
unauthorized actions. We also include a wealth of real-world examples, derived
from the authors’ many years of experience, illustrating how different kinds of
security flaws manifest themselves in today’s web applications.
Security awareness is usually a double-edged sword. Just as application
developers can benefit from understanding the methods attackers use, hackers
can gain from knowing how applications can effectively defend themselves.
In addition to describing security vulnerabilities and attack techniques, we
describe in detail the countermeasures that applications can take to thwart an
xxiii

flast.indd xxiii

8/19/2011 12:23:07 PM