www.dbebooks.com - Free Books & magazines
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page i
The Web Application
Hacker’s Handbook
Discovering and Exploiting Security Flaws
Dafydd Stuttard
Marcus Pinto
Wiley Publishing, Inc.
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page ii
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page i
The Web Application
Hacker’s Handbook
Discovering and Exploiting Security Flaws
Dafydd Stuttard
Marcus Pinto
Wiley Publishing, Inc.
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page ii
The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2008 by Dafydd Stuttard and Marcus Pinto.
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-17077-9
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley
Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or
online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically
disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional
assistance is required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Website is referred to in this work as a citation and/or a potential source of further information does
not mean that the author or the publisher endorses the information the organization or Website may
provide or recommendations it may make. Further, readers should be aware that Internet Websites
listed in this work may have changed or disappeared between when this work was written and when
it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993
or fax (317) 572-4002.
Library of Congress Cataloging-in-Publication Data
Stuttard, Dafydd, 1972The web application hacker's handbook : discovering and exploiting security flaws / Dafydd Stuttard, Marcus Pinto.
p. cm.
Includes index.
ISBN 978-0-470-17077-9 (pbk.)
1. Internet--Security measures. 2. Computer security. I. Pinto, Marcus, 1978- II. Title.
TK5105.875.I57S85 2008
005.8--dc22
2007029983
Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the
United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any
product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page iii
About the Authors
Dafydd Stuttard is a Principal Security Consultant at Next Generation Security Software, where he leads the web application security competency. He has
nine years’ experience in security consulting and specializes in the penetration
testing of web applications and compiled software.
Dafydd has worked with numerous banks, retailers, and other enterprises
to help secure their web applications, and has provided security consulting to
several software manufacturers and governments to help secure their compiled software. Dafydd is an accomplished programmer in several languages,
and his interests include developing tools to facilitate all kinds of software
security testing.
Dafydd has developed and presented training courses at the Black Hat security conferences around the world. Under the alias “PortSwigger,” Dafydd created the popular Burp Suite of web application hacking tools. Dafydd holds
master’s and doctorate degrees in philosophy from the University of Oxford.
Marcus Pinto is a Principal Security Consultant at Next Generation Security
Software, where he leads the database competency development team, and
has lead the development of NGS’ primary training courses. He has eight
years’ experience in security consulting and specializes in penetration testing
of web applications and supporting architectures.
Marcus has worked with numerous banks, retailers, and other enterprises to
help secure their web applications, and has provided security consulting to the
development projects of several security-critical applications. He has worked
extensively with large-scale web application deployments in the financial services industry.
Marcus has developed and presented database and web application training courses at the Black Hat and other security conferences around the world.
Marcus holds a master’s degree in physics from the University of Cambridge.
iii
70779ffirs.qxd:WileyRed
9/17/07
12:11 PM
Page iv
Credits
Executive Editor
Carol Long
Vice President and Executive Publisher
Joseph B. Wikert
Development Editor
Adaobi Obi Tulton
Project Coordinator, Cover
Lynsey Osborn
Production Editor
Christine O’Connor
Compositor
Happenstance Type-O-Rama
Copy Editor
Foxxe Editorial Services
Proofreader
Kathryn Duggan
Editorial Manager
Mary Beth Wakefield
Indexer
Johnna VanHoose Dinse
Production Manager
Tim Tate
Anniversary Logo Design
Richard Pacifico
Vice President and Executive Group
Publisher
Richard Swadley
iv
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page v
Contents
Acknowledgments
Introduction
Chapter 1
xxv
Web Application (In)security
The Evolution of Web Applications
Common Web Application Functions
Benefits of Web Applications
Web Application Security
“This Site Is Secure”
The Core Security Problem: Users Can Submit Arbitrary Input
Key Problem Factors
Immature Security Awareness
In-House Development
Deceptive Simplicity
Rapidly Evolving Threat Profile
Resource and Time Constraints
Overextended Technologies
The New Security Perimeter
The Future of Web Application Security
Chapter 2
xxiii
1
2
3
4
5
6
8
9
9
9
9
10
10
10
10
12
Chapter Summary
13
Core Defense Mechanisms
Handling User Access
15
16
Authentication
Session Management
Access Control
Handling User Input
Varieties of Input
Approaches to Input Handling
16
17
18
19
20
21
v
70779toc.qxd:WileyRed
vi
9/16/07
5:07 PM
Page vi
Contents
“Reject Known Bad”
“Accept Known Good”
Sanitization
Safe Data Handling
Semantic Checks
Boundary Validation
Multistep Validation and Canonicalization
Handling Attackers
Chapter 3
21
21
22
22
23
23
26
27
Handling Errors
Maintaining Audit Logs
Alerting Administrators
Reacting to Attacks
27
29
30
31
Managing the Application
Chapter Summary
Questions
32
33
34
Web Application Technologies
The HTTP Protocol
35
35
HTTP Requests
HTTP Responses
HTTP Methods
URLs
HTTP Headers
General Headers
Request Headers
Response Headers
Cookies
Status Codes
HTTPS
HTTP Proxies
HTTP Authentication
Web Functionality
Server-Side Functionality
The Java Platform
ASP.NET
PHP
Client-Side Functionality
HTML
Hyperlinks
Forms
JavaScript
Thick Client Components
State and Sessions
Encoding Schemes
URL Encoding
Unicode Encoding
36
37
38
40
41
41
41
42
43
44
45
46
47
47
48
49
50
50
51
51
51
52
54
54
55
56
56
57
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page vii
Contents
HTML Encoding
Base64 Encoding
Hex Encoding
Chapter 4
Next Steps
Questions
59
59
Mapping the Application
Enumerating Content and Functionality
61
62
Web Spidering
User-Directed Spidering
Discovering Hidden Content
Brute-Force Techniques
Inference from Published Content
Use of Public Information
Leveraging the Web Server
Application Pages vs. Functional Paths
Discovering Hidden Parameters
62
65
67
67
70
72
75
76
79
Analyzing the Application
Identifying Entry Points for User Input
Identifying Server-Side Technologies
Banner Grabbing
HTTP Fingerprinting
File Extensions
Directory Names
Session Tokens
Third-Party Code Components
Identifying Server-Side Functionality
Dissecting Requests
Extrapolating Application Behavior
Mapping the Attack Surface
Chapter 5
57
58
59
79
80
82
82
82
84
86
86
87
88
88
90
91
Chapter Summary
Questions
92
93
Bypassing Client-Side Controls
Transmitting Data via the Client
95
95
Hidden Form Fields
HTTP Cookies
URL Parameters
The Referer Header
Opaque Data
The ASP.NET ViewState
Capturing User Data: HTML Forms
Length Limits
Script-Based Validation
Disabled Elements
Capturing User Data: Thick-Client Components
Java Applets
96
99
99
100
101
102
106
106
108
110
111
112
vii
70779toc.qxd:WileyRed
viii
9/16/07
5:07 PM
Page viii
Contents
Decompiling Java Bytecode
Coping with Bytecode Obfuscation
ActiveX Controls
Reverse Engineering
Manipulating Exported Functions
Fixing Inputs Processed by Controls
Decompiling Managed Code
Shockwave Flash Objects
Handling Client-Side Data Securely
Transmitting Data via the Client
Validating Client-Generated Data
Logging and Alerting
Chapter 6
114
117
119
120
122
123
124
124
128
128
129
131
Chapter Summary
Questions
131
132
Attacking Authentication
Authentication Technologies
Design Flaws in Authentication Mechanisms
133
134
135
Bad Passwords
Brute-Forcible Login
Verbose Failure Messages
Vulnerable Transmission of Credentials
Password Change Functionality
Forgotten Password Functionality
“Remember Me” Functionality
User Impersonation Functionality
Incomplete Validation of Credentials
Non-Unique Usernames
Predictable Usernames
Predictable Initial Passwords
Insecure Distribution of Credentials
135
136
139
142
144
145
148
149
152
152
154
154
155
Implementation Flaws in Authentication
156
Fail-Open Login Mechanisms
Defects in Multistage Login Mechanisms
Insecure Storage of Credentials
Securing Authentication
Use Strong Credentials
Handle Credentials Secretively
Validate Credentials Properly
Prevent Information Leakage
Prevent Brute-Force Attacks
Prevent Misuse of the Password Change Function
Prevent Misuse of the Account Recovery Function
Log, Monitor, and Notify
Chapter Summary
156
157
161
162
162
163
164
166
167
170
170
172
172
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page ix
Contents
Chapter 7
Attacking Session Management
The Need for State
Alternatives to Sessions
180
Meaningful Tokens
Predictable Tokens
Concealed Sequences
Time Dependency
Weak Random Number Generation
180
182
184
185
187
Weaknesses in Session Token Handling
191
Securing Session Management
Generate Strong Tokens
Protect Tokens throughout Their Lifecycle
Per-Page Tokens
Log, Monitor, and Alert
Reactive Session Termination
192
196
198
200
201
203
203
205
206
206
208
211
212
212
Chapter Summary
Questions
213
214
Attacking Access Controls
Common Vulnerabilities
217
218
Completely Unprotected Functionality
Identifier-Based Functions
Multistage Functions
Static Files
Insecure Access Control Methods
Attacking Access Controls
Securing Access Controls
A Multi-Layered Privilege Model
Chapter 9
178
Weaknesses in Session Token Generation
Disclosure of Tokens on the Network
Disclosure of Tokens in Logs
Vulnerable Mapping of Tokens to Sessions
Vulnerable Session Termination
Client Exposure to Token Hijacking
Liberal Cookie Scope
Cookie Domain Restrictions
Cookie Path Restrictions
Chapter 8
175
176
219
220
222
222
223
224
228
231
Chapter Summary
Questions
234
235
Injecting Code
Injecting into Interpreted Languages
Injecting into SQL
237
238
240
Exploiting a Basic Vulnerability
Bypassing a Login
Finding SQL Injection Bugs
Injecting into Different Statement Types
241
243
244
247
ix
70779toc.qxd:WileyRed
x
9/16/07
5:07 PM
Page x
Contents
The UNION Operator
Fingerprinting the Database
Extracting Useful Data
An Oracle Hack
An MS-SQL Hack
Exploiting ODBC Error Messages (MS-SQL Only)
Enumerating Table and Column Names
Extracting Arbitrary Data
Using Recursion
Bypassing Filters
Second-Order SQL Injection
Advanced Exploitation
Retrieving Data as Numbers
Using an Out-of-Band Channel
Using Inference: Conditional Responses
Beyond SQL Injection: Escalating the Database Attack
MS-SQL
Oracle
MySQL
SQL Syntax and Error Reference
SQL Syntax
SQL Error Messages
Preventing SQL Injection
Partially Effective Measures
Parameterized Queries
Defense in Depth
Injecting OS Commands
251
255
256
257
260
262
263
265
266
267
271
272
273
274
277
285
286
288
288
289
290
292
296
296
297
299
300
Example 1: Injecting via Perl
Example 2: Injecting via ASP
Finding OS Command Injection Flaws
Preventing OS Command Injection
300
302
304
307
Injecting into Web Scripting Languages
307
Dynamic Execution Vulnerabilities
Dynamic Execution in PHP
Dynamic Execution in ASP
Finding Dynamic Execution Vulnerabilities
File Inclusion Vulnerabilities
Remote File Inclusion
Local File Inclusion
Finding File Inclusion Vulnerabilities
Preventing Script Injection Vulnerabilities
Injecting into SOAP
Finding and Exploiting SOAP Injection
Preventing SOAP Injection
Injecting into XPath
Subverting Application Logic
307
308
308
309
310
310
311
312
312
313
315
316
316
317
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xi
Contents
Informed XPath Injection
Blind XPath Injection
Finding XPath Injection Flaws
Preventing XPath Injection
Injecting into SMTP
Email Header Manipulation
SMTP Command Injection
Finding SMTP Injection Flaws
Preventing SMTP Injection
Injecting into LDAP
Injecting Query Attributes
Modifying the Search Filter
Finding LDAP Injection Flaws
Preventing LDAP Injection
Chapter Summary
Questions
Chapter 10 Exploiting Path Traversal
Common Vulnerabilities
Finding and Exploiting Path Traversal Vulnerabilities
Locating Targets for Attack
Detecting Path Traversal Vulnerabilities
Circumventing Obstacles to Traversal Attacks
Coping with Custom Encoding
Exploiting Traversal Vulnerabilities
Preventing Path Traversal Vulnerabilities
Chapter Summary
Questions
Chapter 11 Attacking Application Logic
The Nature of Logic Flaws
Real-World Logic Flaws
Example 1: Fooling a Password Change Function
The Functionality
The Assumption
The Attack
Example 2: Proceeding to Checkout
The Functionality
The Assumption
The Attack
Example 3: Rolling Your Own Insurance
The Functionality
The Assumption
The Attack
Example 4: Breaking the Bank
The Functionality
The Assumption
The Attack
318
319
320
321
321
322
323
324
326
326
327
328
329
330
331
331
333
333
335
335
336
339
342
344
344
346
346
349
350
350
351
351
351
352
352
352
353
353
354
354
354
355
356
356
357
358
xi
70779toc.qxd:WileyRed
xii
9/16/07
5:07 PM
Page xii
Contents
Example 5: Erasing an Audit Trail
The Functionality
The Assumption
The Attack
Example 6: Beating a Business Limit
The Functionality
The Assumption
The Attack
Example 7: Cheating on Bulk Discounts
The Functionality
The Assumption
The Attack
Example 8: Escaping from Escaping
The Functionality
The Assumption
The Attack
Example 9: Abusing a Search Function
The Functionality
The Assumption
The Attack
Example 10: Snarfing Debug Messages
The Functionality
The Assumption
The Attack
Example 11: Racing against the Login
The Functionality
The Assumption
The Attack
Avoiding Logic Flaws
Chapter Summary
Questions
Chapter 12 Attacking Other Users
Cross-Site Scripting
Reflected XSS Vulnerabilities
Exploiting the Vulnerability
Stored XSS Vulnerabilities
Storing XSS in Uploaded Files
DOM-Based XSS Vulnerabilities
Real-World XSS Attacks
Chaining XSS and Other Attacks
Payloads for XSS Attacks
Virtual Defacement
Injecting Trojan Functionality
Inducing User Actions
Exploiting Any Trust Relationships
Escalating the Client-Side Attack
359
359
359
359
360
360
361
361
362
362
362
362
363
363
364
364
365
365
365
365
366
366
367
367
368
368
368
368
370
372
372
375
376
377
379
383
385
386
388
390
391
391
392
394
394
396
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xiii
Contents
Delivery Mechanisms for XSS Attacks
Delivering Reflected and DOM-Based XSS Attacks
Delivering Stored XSS Attacks
Finding and Exploiting XSS Vulnerabilities
Finding and Exploiting Reflected XSS Vulnerabilities
Finding and Exploiting Stored XSS Vulnerabilities
Finding and Exploiting DOM-Based XSS Vulnerabilities
HttpOnly Cookies and Cross-Site Tracing
Preventing XSS Attacks
Preventing Reflected and Stored XSS
Preventing DOM-Based XSS
Preventing XST
Redirection Attacks
Finding and Exploiting Redirection Vulnerabilities
Circumventing Obstacles to Attack
Preventing Redirection Vulnerabilities
HTTP Header Injection
Exploiting Header Injection Vulnerabilities
Injecting Cookies
Delivering Other Attacks
HTTP Response Splitting
Preventing Header Injection Vulnerabilities
Frame Injection
Exploiting Frame Injection
Preventing Frame Injection
Request Forgery
On-Site Request Forgery
Cross-Site Request Forgery
Exploiting XSRF Flaws
Preventing XSRF Flaws
JSON Hijacking
JSON
Attacks against JSON
Overriding the Array Constructor
Implementing a Callback Function
Finding JSON Hijacking Vulnerabilities
Preventing JSON Hijacking
Session Fixation
Finding and Exploiting Session Fixation Vulnerabilities
Preventing Session Fixation Vulnerabilities
Attacking ActiveX Controls
Finding ActiveX Vulnerabilities
Preventing ActiveX Vulnerabilities
Local Privacy Attacks
Persistent Cookies
Cached Web Content
399
399
400
401
402
415
417
421
423
423
427
428
428
429
431
433
434
434
435
436
436
438
438
439
440
440
441
442
443
444
446
446
447
447
448
449
450
450
452
453
454
455
456
458
458
458
xiii
70779toc.qxd:WileyRed
xiv
9/16/07
5:07 PM
Page xiv
Contents
Browsing History
Autocomplete
Preventing Local Privacy Attacks
Advanced Exploitation Techniques
Leveraging Ajax
Making Asynchronous Off-Site Requests
Anti-DNS Pinning
A Hypothetical Attack
DNS Pinning
Attacks against DNS Pinning
Browser Exploitation Frameworks
Chapter Summary
Questions
Chapter 13 Automating Bespoke Attacks
Uses for Bespoke Automation
Enumerating Valid Identifiers
The Basic Approach
Detecting Hits
HTTP Status Code
Response Length
Response Body
Location Header
Set-cookie Header
Time Delays
Scripting the Attack
JAttack
459
460
460
461
461
463
464
465
466
466
467
469
469
471
472
473
474
474
474
475
475
475
475
476
476
477
Harvesting Useful Data
Fuzzing for Common Vulnerabilities
Putting It All Together: Burp Intruder
484
487
491
Positioning Payloads
Choosing Payloads
Configuring Response Analysis
Attack 1: Enumerating Identifiers
Attack 2: Harvesting Information
Attack 3: Application Fuzzing
492
493
494
495
498
500
Chapter Summary
Questions
Chapter 14 Exploiting Information Disclosure
Exploiting Error Messages
Script Error Messages
Stack Traces
Informative Debug Messages
Server and Database Messages
Using Public Information
Engineering Informative Error Messages
502
502
505
505
506
507
508
509
511
512
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xv
Contents
Gathering Published Information
Using Inference
Preventing Information Leakage
Use Generic Error Messages
Protect Sensitive Information
Minimize Client-Side Information Leakage
Chapter Summary
Questions
Chapter 15 Attacking Compiled Applications
Buffer Overflow Vulnerabilities
Stack Overflows
Heap Overflows
“Off-by-One” Vulnerabilities
Detecting Buffer Overflow Vulnerabilities
Integer Vulnerabilities
Integer Overflows
Signedness Errors
Detecting Integer Vulnerabilities
Format String Vulnerabilities
Detecting Format String Vulnerabilities
Chapter Summary
Questions
Chapter 16 Attacking Application Architecture
Tiered Architectures
513
514
516
516
517
517
518
518
521
522
522
523
524
527
529
529
529
530
531
532
533
534
535
535
Attacking Tiered Architectures
Exploiting Trust Relationships between Tiers
Subverting Other Tiers
Attacking Other Tiers
Securing Tiered Architectures
Minimize Trust Relationships
Segregate Different Components
Apply Defense in Depth
536
537
538
539
540
540
541
542
Shared Hosting and Application Service Providers
542
Virtual Hosting
Shared Application Services
Attacking Shared Environments
Attacks against Access Mechanisms
Attacks between Applications
Securing Shared Environments
Secure Customer Access
Segregate Customer Functionality
Segregate Components in a Shared Application
543
543
544
545
546
549
549
550
551
Chapter Summary
Questions
551
551
xv
70779toc.qxd:WileyRed
xvi
9/16/07
5:07 PM
Page xvi
Contents
Chapter 17 Attacking the Web Server
Vulnerable Web Server Configuration
Default Credentials
Default Content
Debug Functionality
Sample Functionality
Powerful Functions
Directory Listings
Dangerous HTTP Methods
The Web Server as a Proxy
Misconfigured Virtual Hosting
Securing Web Server Configuration
Vulnerable Web Server Software
Buffer Overflow Vulnerabilities
Microsoft IIS ISAPI Extensions
Apache Chunked Encoding Overflow
Microsoft IIS WebDav Overflow
iPlanet Search Overflow
Path Traversal Vulnerabilities
Accipiter DirectServer
Alibaba
Cisco ACS Acme.server
McAfee EPolicy Orcestrator
Encoding and Canonicalization Vulnerabilities
Allaire JRun Directory Listing Vulnerability
Microsoft IIS Unicode Path Traversal Vulnerabilities
Oracle PL/SQL Exclusion List Bypasses
Finding Web Server Flaws
Securing Web Server Software
Choose Software with a Good Track Record
Apply Vendor Patches
Perform Security Hardening
Monitor for New Vulnerabilities
Use Defense-in-Depth
Chapter Summary
Questions
Chapter 18 Finding Vulnerabilities in Source Code
Approaches to Code Review
Black-Box vs. White-Box Testing
Code Review Methodology
Signatures of Common Vulnerabilities
Cross-Site Scripting
SQL Injection
Path Traversal
Arbitrary Redirection
553
553
554
555
555
556
557
559
560
562
564
565
566
566
567
567
567
567
568
568
568
568
568
568
569
569
570
571
572
572
572
573
573
573
574
574
577
578
578
579
580
580
581
582
583
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xvii
Contents
OS Command Injection
Backdoor Passwords
Native Software Bugs
Buffer Overflow Vulnerabilities
Integer Vulnerabilities
Format String Vulnerabilities
Source Code Comments
The Java Platform
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
File Access
Database Access
Dynamic Code Execution
OS Command Execution
URL Redirection
Sockets
Configuring the Java Environment
ASP.NET
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
File Access
Database Access
Dynamic Code Execution
OS Command Execution
URL Redirection
Sockets
Configuring the ASP.NET Environment
PHP
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
File Access
Database Access
Dynamic Code Execution
OS Command Execution
URL Redirection
Sockets
Configuring the PHP Environment
Register Globals
Safe Mode
Magic Quotes
Miscellaneous
Perl
Identifying User-Supplied Data
584
584
585
585
586
586
586
587
587
589
589
589
590
591
591
592
592
593
594
594
595
596
596
597
598
598
599
600
600
601
601
603
604
604
606
607
607
608
608
609
609
610
610
611
611
612
xvii
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xviii
xviii Contents
Session Interaction
Potentially Dangerous APIs
File Access
Database Access
Dynamic Code Execution
OS Command Execution
URL Redirection
Sockets
Configuring the Perl Environment
JavaScript
Database Code Components
SQL Injection
Calls to Dangerous Functions
613
613
613
613
614
614
615
615
615
616
617
617
618
Tools for Code Browsing
Chapter Summary
Questions
619
620
621
Chapter 19 A Web Application Hacker’s Toolkit
Web Browsers
623
624
Internet Explorer
Firefox
Opera
Integrated Testing Suites
How the Tools Work
Intercepting Proxies
Web Application Spiders
Application Fuzzers and Scanners
Manual Request Tools
Feature Comparison
Burp Suite
Paros
WebScarab
Alternatives to the Intercepting Proxy
Tamper Data
TamperIE
Vulnerability Scanners
Vulnerabilities Detected by Scanners
Inherent Limitations of Scanners
Every Web Application Is Different
Scanners Operate on Syntax
Scanners Do Not Improvise
Scanners Are Not Intuitive
Technical Challenges Faced by Scanners
Authentication and Session Handling
Dangerous Effects
Individuating Functionality
Other Challenges to Automation
624
624
626
627
628
628
633
636
637
640
643
644
645
646
647
647
649
649
651
652
652
652
653
653
653
654
655
655
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xix
Contents
Current Products
Using a Vulnerability Scanner
Other Tools
Nikto
Hydra
Custom Scripts
Wget
Curl
Netcat
Stunnel
Chapter Summary
Chapter 20 A Web Application Hacker’s Methodology
General Guidelines
1. Map the Application’s Content
1.1. Explore Visible Content
1.2. Consult Public Resources
1.3. Discover Hidden Content
1.4. Discover Default Content
1.5. Enumerate Identifier-Specified Functions
1.6. Test for Debug Parameters
2. Analyze the Application
2.1. Identify Functionality
2.2. Identify Data Entry Points
2.3. Identify the Technologies Used
2.4. Map the Attack Surface
3. Test Client-Side Controls
3.1. Test Transmission of Data via the Client
3.2. Test Client-Side Controls over User Input
3.3. Test Thick-Client Components
3.3.1. Test Java Applets
3.3.2. Test ActiveX controls
3.3.3. Test Shockwave Flash objects
4. Test the Authentication Mechanism
4.1. Understand the Mechanism
4.2. Test Password Quality
4.3. Test for Username Enumeration
4.4. Test Resilience to Password Guessing
4.5. Test Any Account Recovery Function
4.6. Test Any Remember Me Function
4.7. Test Any Impersonation Function
4.8. Test Username Uniqueness
4.9. Test Predictability of Auto-Generated Credentials
4.10. Check for Unsafe Transmission of Credentials
4.11. Check for Unsafe Distribution of Credentials
656
658
659
660
660
661
662
662
663
663
664
665
667
669
669
670
670
671
671
672
672
673
673
673
674
675
675
676
677
677
678
678
679
680
680
680
681
682
682
683
683
684
684
685
xix
70779toc.qxd:WileyRed
xx
9/16/07
5:07 PM
Page xx
Contents
4.12. Test for Logic Flaws
4.12.1. Test for Fail-Open Conditions
4.12.2. Test Any Multistage Mechanisms
4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access
5. Test the Session Management Mechanism
5.1. Understand the Mechanism
5.2. Test Tokens for Meaning
5.3. Test Tokens for Predictability
5.4. Check for Insecure Transmission of Tokens
5.5. Check for Disclosure of Tokens in Logs
5.6. Check Mapping of Tokens to Sessions
5.7. Test Session Termination
5.8. Check for Session Fixation
5.9. Check for XSRF
5.10. Check Cookie Scope
6. Test Access Controls
6.1. Understand the Access Control Requirements
6.2. Testing with Multiple Accounts
6.3. Testing with Limited Access
6.4. Test for Insecure Access Control Methods
7. Test for Input-Based Vulnerabilities
685
685
686
687
688
689
689
690
691
692
692
693
694
694
695
696
696
697
697
698
699
7.1. Fuzz All Request Parameters
7.2. Test for SQL Injection
7.3. Test for XSS and Other Response Injection
7.3.1. Identify Reflected Request Parameters
7.3.2. Test for Reflected XSS
7.3.3. Test for HTTP Header Injection
7.3.4. Test for Arbitrary Redirection
7.3.5. Test for Stored Attacks
7.4. Test for OS Command Injection
7.5. Test for Path Traversal
7.6. Test for Script Injection
7.7. Test for File Inclusion
699
702
704
704
705
705
706
706
707
709
711
711
8. Test for Function-Specific Input Vulnerabilities
712
8.1. Test for SMTP Injection
8.2. Test for Native Software Vulnerabilities
8.2.1. Test for Buffer Overflows
8.2.2. Test for Integer Vulnerabilities
8.2.3. Test for Format String Vulnerabilities
8.3. Test for SOAP Injection
8.4. Test for LDAP Injection
8.5. Test for XPath Injection
712
713
713
714
714
715
715
716
9. Test for Logic Flaws
9.1. Identify the Key Attack Surface
9.2. Test Multistage Processes
9.3. Test Handling of Incomplete Input
717
717
718
718
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xxi
Contents
9.4. Test Trust Boundaries
9.5. Test Transaction Logic
10. Test for Shared Hosting Vulnerabilities
10.1. Test Segregation in Shared Infrastructures
10.2. Test Segregation between ASP-Hosted Applications
11. Test for Web Server Vulnerabilities
11.1. Test for Default Credentials
11.2. Test for Default Content
11.3. Test for Dangerous HTTP Methods
11.4. Test for Proxy Functionality
11.5. Test for Virtual Hosting Misconfiguration
11.6. Test for Web Server Software Bugs
12. Miscellaneous Checks
12.1. Check for DOM-Based Attacks
12.2. Check for Frame Injection
12.3. Check for Local Privacy Vulnerabilities
12.4. Follow Up Any Information Leakage
12.5. Check for Weak SSL Ciphers
Index
719
719
720
720
721
721
722
722
722
723
723
723
724
724
725
726
726
727
729
xxi
70779toc.qxd:WileyRed
9/16/07
5:07 PM
Page xxii