From the authors
of the best-selling
HACK PROOFING
™
YOUR NETWORK
Your Web Applications
™
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Your Web Applications
From the authors
of the best-selling
HACK PROOFING
™
YOUR NETWORK
Jeff Forristal
Julie Traxler
Technical Editor
The Only Way to Stop a Hacker Is to Think Like One
• Step-by-Step Instructions for Developing Secure Web Applications
• Hundreds of Tools & Traps and Damage & Defense Sidebars
and Security Alerts!
• Complete Coverage of How to Hack Your Own Site
137_hackapps_FC 6/19/01 3:48 PM Page 1
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author”™ customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the max-
imum value from your investment. We’re listening.
www.syngress.com/solutions
137_hackapps_FM 6/19/01 3:28 PM Page i
137_hackapps_FM 6/19/01 3:28 PM Page ii
The Only Way to Stop a Hacker Is to Think Like One
Your Web Applications
™
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Your Web Applications
137_hackapps_FM 6/19/01 3:28 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold
AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks
of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 BN837R45G
002 AP9EEF4574
003 ZPHGJ264G8
004 BNJ3RG22TS
005 356YH8LLQ2
006 CF4H6J8MMX
007 22D56G7KM6
008 6B8MDD4G6Z
009 L9MNG542FR
010 BY45MQ98WA
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Web Applications
Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and executed
in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-31-8
Technical edit by: Julie Traxler Freelance Editorial Manager: Maribeth Corona-Evans
Technical review by: Robert Hansen and Kevin Ziese Copy edit by: Darren Meiss and Beth A. Roberts
Co-Publisher: Richard Kristof Index by: Jennifer Coker
Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan Cover Design by: Michael Kavish
Distributed by Publishers Group West in the United States.
137_hackapps_FM 6/19/01 3:28 PM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry’s best courses, instructors and training facilities.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill
Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their
incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all
their help.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.
137_hackapps_FM 6/19/01 3:28 PM Page v
137_hackapps_FM 6/19/01 3:28 PM Page vi
vii
Contributors
Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior
Network Analyst at DevonIT (www.devonitnet.com), a leading net-
working services provider specializing in network security and VPN
solutions. Chris has worked in the IT industry for over eight years and
has a wide range of technical experience. Chris is Founder and
President of Infinite Solutions Group Inc. (www.infinitesols.com), a
network consulting firm located in Lansdowne, PA that specializes in
network design, integration, security services, technical writing, and
training. Chris is currently pursuing the CCDA and CCNP certifica-
tions while mastering the workings of Cisco and Netscreen VPN and
security devices.
Jeff Forristal is the Lead Security Developer for Neohapsis, a
Chicago-based security solution/consulting firm. Apart from assisting
in network security assessments and application security reviews
(including source code review), Jeff is the driving force behind
Security Alert Consensus, a joint security alert newsletter published on
a weekly basis by Neohapsis, Network Computing, and the SANS
Institute.
Drew Simonis (CCNA) is a Security Consultant for Fiderus
Strategic Security and Privacy Services. He is an information-security
specialist with experience in security guidelines, incident response,
intrusion detection and prevention, and network and system adminis-
tration. He has extensive knowledge of TCP/IP data networking and
Unix (specifically AIX and Solaris), as well as sound knowledge of
routing, switching, and bridging. Drew has been involved in several
large-scale Web development efforts for companies such as AT&T,
IBM, and several of their customers.This has included both planning
and deployment of such efforts as online banking, automated customer
care, and an online adaptive insurability assessment used by a major
137_hackapps_FM 6/19/01 3:28 PM Page vii
viii
national insurance company. Drew helps customers of his current
employer with network and application security assessments as well as
assisting in ongoing development efforts. Drew is a member of
MENSA and holds several industry certifications, including IBM
Certified Specialist, AIX 4.3 System Administration, AIX 4.3
Communications, Sun Microsystems Certified Solaris System
Administrator, Sun Microsystems Certified Solaris Network
Administrator, Checkpoint Certified Security Administrator, and
Checkpoint Certified Security Engineer. He resides in Tampa, FL.
Brian Bagnall (Sun Certified Java Programmer and Developer) is co-
author of the Sun Certified Programmer for Java 2 Study Guide. He is cur-
rently the lead programmer at IdleWorks, a company located in
Western Canada. IdleWorks develops distributed processing solutions
for large and medium-sized businesses with supercomputing needs. His
background includes working for IBM developing client-side applica-
tions. Brian is also a key programmer of Lejos, a Java software develop-
ment kit for Lego Mindstorms. Brian would like to thank his family
for their support, and especially his father Herb.
Michael Dinowitz hosts CF-Talk, the high-volume ColdFusion
mailing list, out of House of Fusion.Com. He publishes and writes
articles for the Fusion Authority Weekly News Alert (www.fusionau-
thority.com/alert). Michael is the author of Fusebox: Methodology and
Techniques (ColdFusion Edition) and is the co-author of the best-
selling ColdFusion Web Application Construction Kit.Whether it’s
researching the lowest levels of ColdFusion functionality or presenting
to an audience, Michael’s passion for the language is clear. Outside of
Allaire, there are few evangelists as dedicated to the spread of the lan-
guage and the strengthening of the community.
Jay D. Dyson is a Senior Security Consultant for OneSecure Inc., a
trusted provider of managed digital security services. Jay also serves as
part-time Security Advisor to the National Aeronautics and Space
137_hackapps_FM 6/19/01 3:28 PM Page viii
ix
Administration (NASA). His extracurricular activities include main-
taining Treachery.Net and serving as one of the founding staff mem-
bers of Attrition.Org.
Joe Dulay (MCSD) is the Vice-President of Technology for the IT Age
Corporation. IT Age Corporation is a project management and soft-
ware development firm specializing in customer-oriented business
enterprise and e-commerce solutions located in Atlanta, GA. His cur-
rent responsibilities include managing the IT department, heading the
technology steering committee, software architecture, e-commerce
product management, and refining development processes and method-
ologies.Though most of his responsibilities lay in the role of manager
and architect, he is still an active participant of the research and devel-
opment team. Joe holds a bachelor’s degree from the University of
Wisconsin in computer science. His background includes positions as a
Senior Developer at Siemens Energy and Automation, and as an inde-
pendent contractor specializing in e-commerce development. Joe would
like to thank his family for always being there to help him.
Michael Cross (MCSE, MCPS, MCP+I, CNA) is a Microsoft
Certified System Engineer, Microsoft Certified Product Specialist,
Microsoft Certified Professional + Internet, and a Certified Novell
Administrator. Michael is the Network Administrator, Internet
Specialist, and a Programmer for the Niagara Regional Police Service.
He is responsible for network security and administration, program-
ming applications, and Webmaster of their Web site at www.nrps.com.
He has consulted and assisted in computer-related/Internet criminal
cases and is part of an Information Technology team that provides sup-
port to a user base of over 800 civilian and uniform users.
Michael owns KnightWare, a company that provides consulting,
programming, networking,Web page design, computer training, and
other services. He has served as an instructor for private colleges and
technical schools in London, Ontario Canada. He has been a freelance
writer for several years and has been published over two dozen times
137_hackapps_FM 6/19/01 3:28 PM Page ix
x
in books and anthologies. Michael currently resides in St. Catharines,
Ontario, Canada with his lovely fiancée Jennifer.
Edgar Danielyan (CCNA) is currently self-employed. Edgar has a
diploma in company law from the British Institute of Legal Executives
and is a certified paralegal from the University of Southern Colorado.
He has been working as a Network Administrator and Manager of a
top-level domain of Armenia. He has also worked for the United
Nations, the Ministry of Defense, a national telco, a bank, and has been
a partner in a law firm. He speaks four languages, likes good tea, and is
a member of ACM, IEEE CS, USENIX, CIPS, ISOC, and IPG.
David G. Scarbrough is a Senior Developer with Education
Networks of America where he is a lead member of the ColdFusion
development team. He specializes in developing e-commerce sites.
David has ColdFusion 4.5 Master Certification and is also experienced
with HTML, JavaScript, PHP,Visual Basic, ActiveX, Flash 4.0, and SQL
Server 7. He has also held positions as a Programmer and Computer
Scientist. David graduated from Troy State University on Montgomery,
AL with a bachelor of science in computer science. He lives in
Smyrna,TN.
137_hackapps_FM 6/19/01 3:28 PM Page x
xi
Julie Traxler is a Senior Software Tester for an Internet software com-
pany. Julie has also worked for DecisionOne, EXE Technologies, and
TV Guide in positions that include Project Manager, Business Analyst,
and Technical Writer. As a systems analyst and designer, Julie establishes
quality assurance procedures, builds QA teams, and implements testing
processes.The testing plans she has developed include testing for func-
tionality, usability, requirements, acceptance, release, regression, security,
integrity, and performance.
Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to
joining Cisco he was a Senior Scientist and Founder of the
Wheelgroup Corporation, which was acquired by Cisco Systems in
April of 1998. Prior to starting the Wheelgroup Corporation,
he was Chief of the Advanced Countermeasures Cell at the Air Force
Information Warfare Center.
Robert Hansen is a self-taught computer expert residing in Northern
California. Robert, known formerly as RSnake and currently as
RSenic, has been heavily involved in the hacking and security scene
since the mid 1990s and continues to work closely with black and
white hats alike. Robert has worked for a major banner advertising
company as an Information Specialist and for several start-up compa-
nies as Chief Operations Officer and Chief Security Officer. He has
Technical Editor and Contributor
Technical Reviewers
137_hackapps_FM 6/19/01 3:28 PM Page xi
xii
founded several security sites and organizations, and has been inter-
viewed by many magazines, newspapers, and televisions such as Forbes
Online, Computer World, CNN, FOX and ABC News. He sends
greets to #hackphreak, #ehap, friends, and family.
137_hackapps_FM 6/19/01 3:28 PM Page xii
Contents
xiii
Foreword xxv
Chapter 1 Hacking Methodology 1
Introduction 2
Understanding the Terms 3
A Brief History of Hacking 4
Phone System Hacking 5
Computer Hacking 6
What Motivates a Hacker? 9
Ethical Hacking versus Malicious Hacking 10
Working with Security Professionals 11
Associated Risks with Hiring a Security
Professional 12
Understanding Current Attack Types 13
DoS/DDoS 13
Virus Hacking 16
Trojan Horses 18
Worms 21
Rogue Applets 22
Stealing 23
Credit Card Theft 24
Theft of Identity 26
Information Piracy 27
Recognizing Web Application Security Threats 28
Hidden Manipulation 29
Parameter Tampering 29
Cross-Site Scripting 29
Buffer Overflow 30
Cookie Poisoning 31
Understand how
rogue applets can
transmit bad code:
Mobile code applications,
in the form of Java
applets, JavaScript, and
ActiveX controls, are
powerful tools for
distributing information.
They are also powerful
tools for transmitting
malicious code. Rogue
applets do not replicate
themselves or simply
corrupt data as viruses do,
but instead they are most
often specific attacks
designed to steal data or
disable systems.
137_hackapps_TOC 6/19/01 3:25 PM Page xiii
xiv Contents
Preventing Break-Ins by Thinking Like a Hacker 31
Summary 35
Solutions Fast Track 36
Frequently Asked Questions 40
Chapter 2 How to Avoid Becoming
a “Code Grinder” 43
Introduction 44
What Is a Code Grinder? 45
Following the Rules 49
Thinking Creatively When Coding 50
Allowing for Thought 53
Modular Programming Done Correctly 53
Security from the Perspective of a Code Grinder 56
Coding in a Vacuum 58
Building Functional and Secure Web Applications 59
But My Code Is Functional! 66
There Is More to an Application than
Functionality 68
Let’s Make It Secure and Functional 71
Summary 76
Solutions Fast Track 77
Frequently Asked Questions 78
Chapter 3 Understanding the Risks
Associated with Mobile Code 81
Introduction 82
Recognizing the Impact of Mobile Code Attacks 83
Browser Attacks 83
Mail Client Attacks 84
Malicious Scripts or Macros 85
Identifying Common Forms of Mobile Code 86
Macro Languages:Visual Basic for
Applications (VBA) 87
Security Problems with VBA 89
Protecting against VBA Viruses 92
JavaScript 93
JavaScript Security Overview 94
Thinking Creatively
When Coding
■
Be aware of outside
influences on your
code, expect the
unexpected!
■
Look for ways to
minimize your code;
keep the functionality
in as small a core as
possible.
■
Review, review, review!
Don’t try to isolate your
efforts or conceal
mistakes.
137_hackapps_TOC 6/19/01 3:25 PM Page xiv
Contents xv
Security Problems 95
Exploiting Plug-In Commands 96
Web-Based E-Mail Attacks 96
Social Engineering 97
Lowering JavaScript Security Risks 97
VBScript 98
VBScript Security Overview 98
VBScript Security Problems 99
VBScript Security Precautions 101
Java Applets 101
Granting Additional Access to Applets 102
Security Problems with Java 103
Java Security Precautions 104
ActiveX Controls 105
ActiveX Security Overview 105
Security Problems with ActiveX 107
E-Mail Attachments and Downloaded
Executables 110
Back Orifice 2000 Trojan 111
Protecting Your System from Mobile Code
Attacks 115
Security Applications 115
ActiveX Manager 115
Back Orifice Detectors 115
Firewall Software 119
Web-Based Tools 119
Identifying Bad ActiveX Controls 119
Client Security Updates 120
Summary 121
Solutions Fast Track 122
Frequently Asked Questions 123
Chapter 4 Vulnerable CGI Scripts 125
Introduction 126
What Is a CGI Script, and What Does It Do? 127
Typical Uses of CGI Scripts 129
When Should You Use CGI? 135
Understand how
mobile code works for
Java applets and
ActiveX controls:
Mobile Code Residing on a
Web Server
Sending Computer
HTML E-Mail Containing
URL Reference to Code
(Java Applet or ActiveX)
HTML E-Mail Retrieves
Code When Opened
Server
Applet or
ActiveX
Your Computer
137_hackapps_TOC 6/19/01 3:25 PM Page xv
xvi Contents
CGI Script Hosting Issues 136
Break-Ins Resulting from Weak CGI Scripts 137
How to Write “Tighter” CGI Scripts 139
Searchable Index Commands 143
CGI Wrappers 144
Whisker 145
Languages for Writing CGI Scripts 149
Unix Shell 150
Perl 151
C/C++ 151
Visual Basic 152
Advantages of Using CGI Scripts 153
Rules for Writing Secure CGI Scripts 153
Storing CGI Scripts 157
Summary 161
Solutions Fast Track 161
Frequently Asked Questions 165
Chapter 5 Hacking Techniques and Tools 167
Introduction 168
A Hacker’s Goals 169
Minimize the Warning Signs 170
Maximize the Access 172
Damage, Damage, Damage 175
Turning the Tables 177
The Five Phases of Hacking 178
Creating an Attack Map 179
Building an Execution Plan 182
Establishing a Point of Entry 183
Continued and Further Access 184
The Attack 186
Social Engineering 188
Sensitive Information 188
E-Mail or Messaging Services 189
Telephones and Documents 191
Credentials 193
The Intentional “Back Door” Attack 195
Tools & Traps…Beware
of User Input
One of the most common
methods of exploiting CGI
scripts and programs is
used when scripts allow
user input, but the data
that users are submitting
is not checked. Controlling
what information users
are able to submit will
reduce your chances of
being hacked through a
CGI script dramatically.
137_hackapps_TOC 6/19/01 3:25 PM Page xvi
Contents xvii
Hard-Coding a Back Door Password 195
Exploiting Inherent Weaknesses in Code or
Programming Environments 198
The Tools of the Trade 199
Hex Editors 199
Debuggers 201
Disassemblers 202
Windows-Based Tools 202
Quick View 204
DOS-Based Tools 204
Summary 206
Solutions Fast Track 207
Frequently Asked Questions 211
Chapter 6 Code Auditing and
Reverse Engineering 215
Introduction 216
How to Efficiently Trace through a Program 216
Auditing and Reviewing Selected Programming
Languages 220
Reviewing Java 220
Reviewing Java Server Pages 221
Reviewing Active Server Pages 221
Reviewing Server Side Includes 222
Reviewing Python 222
Reviewing Tool Command Language 222
Reviewing Practical Extraction and
Reporting Language 222
Reviewing PHP: Hypertext Preprocessor 223
Reviewing C/C++ 223
Reviewing ColdFusion 224
Looking for Vulnerabilities 224
Getting the Data from the User 225
Looking for Buffer Overflows 226
The str* Family of Functions 227
The strn* Family of Functions 228
The *scanf Family of Functions 228
Answers All Your
Questions About
Hacking Techniques
Q: What should I do if I
stumble across a back
door in my code base?
A: First and most
importantly, determine
that it is a genuine back
door. Segments of code
often appear to have
no authentication
aspect and can do
some rather powerful
things, but nonetheless
had proper
authentication
performed prior to their
being called. If your
best research still
indicates that it is a
back door, contact an
associate in your
security department
who understands the
language in which
you're coding and
request a review of the
code. If that person
determines it is a back
door, it should be
investigated to
determine whether the
code was introduced
simply due to poor
planning or actual
malice.
137_hackapps_TOC 6/19/01 3:25 PM Page xvii
xviii Contents
Other Functions Vulnerable to Buffer
Overflows 229
Checking the Output Given to the User 230
Format String Vulnerabilities 230
Cross-Site Scripting 232
Information Disclosure 234
Checking for File System Access/Interaction 235
Checking External Program and Code
Execution 238
Calling External Programs 239
Dynamic Code Execution 240
External Objects/Libraries 241
Checking Structured Query Language
(SQL)/Database Queries 242
Checking Networking and
Communication Streams 245
Pulling It All Together 247
Summary 248
Solutions Fast Track 248
Frequently Asked Questions 250
Chapter 7 Securing Your Java Code 253
Introduction 254
Overview of the Java Security Architecture 255
The Java Security Model 257
The Sandbox 259
Security and Java Applets 260
How Java Handles Security 264
Class Loaders 265
The Applet Class Loader 266
Adding Security to a Custom
Class Loader 266
Byte-Code Verifier 269
Java Protected Domains 275
Java Security Manager 276
Policy Files 277
The SecurityManager Class 284
How to Efficiently Trace
through a Program
; Tracing a program’s
execution from start to
finish is too time-
intensive.
; You can save time by
instead going directly
to problem areas.
; This approach allows
you to skip benign
application
processing/calculation
logic.
137_hackapps_TOC 6/19/01 3:25 PM Page xviii
Contents xix
Potential Weaknesses in Java 285
DoS Attack/Degradation of Service Attacks 285
Third-Party Trojan Horse Attacks 289
Coding Functional but Secure Java Applets 290
Message Digests 291
Digital Signatures 295
Generating a Key Pair 298
Obtaining and Verifying a Signature 301
Authentication 303
X.509 Certificate Format 305
Obtaining Digital Certificates 305
Protecting Security with JAR Signing 311
Encryption 315
Cryptix Installation Instructions 319
Sun Microsystems Recommendations
for Java Security 322
Privileged Code Guidelines 323
Java Code Guidelines 324
C Code Guidelines 325
Summary 326
Solutions Fast Track 327
Frequently Asked Questions 329
Chapter 8 Securing XML 331
Introduction 332
Defining XML 332
Logical Structure 334
Elements 335
Attributes 336
Well-Formed Documents 337
Valid Document 337
XML and XSL/DTD Documents 339
XSL Use of Templates 339
XSL Use of Patterns 340
DTD 344
Schemas 345
Creating Web Applications Using XML 347
Complete coverage of
the Java Security
Model:
■
Class loaders
■
Byte-code verification
■
Security managers
■
Digital signatures
■
Authentication using
certificates
■
JAR signing
■
Encryption
Damage & Defense:
Debugging XSL
The interaction of a style
sheet with an XML
document can be a
complicated process, and
unfortunately, style sheet
errors can often be cryptic.
Microsoft has an HTML-
based XSL debugger you
can use to walk through
the execution of your XSL.
You can also view the
source code to make your
own improvements. You
can find the XSL Debugger
at rosoft
.com/downloads/samples/
internet/xml/sxl_debugger/
default.asp.
137_hackapps_TOC 6/19/01 3:25 PM Page xix
xx Contents
The Risks Associated with Using XML 352
Confidentiality Concerns 353
Securing XML 354
XML Encryption 355
XML Digital Signatures 362
Summary 366
Solutions Fast Track 367
Frequently Asked Questions 369
Chapter 9 Building Safe ActiveX
Internet Controls 371
Introduction 372
Dangers Associated with Using ActiveX 373
Avoiding Common ActiveX Vulnerabilities 375
Lessening the Impact of ActiveX
Vulnerabilities 378
Protection at the Network Level 379
Protection at the Client Level 379
Methodology for Writing Safe ActiveX Controls 382
Object Safety Settings 383
Securing ActiveX Controls 385
Control Signing 385
Using Microsoft Authenticode 387
Control Marking 389
Using Safety Settings 389
Using IObjectSafety 390
Marking the Control in the Windows
Registry 395
Summary 397
Solutions Fast Track 398
Frequently Asked Questions 400
Chapter 10 Securing ColdFusion 403
Introduction 404
How Does ColdFusion Work? 404
Utilizing the Benefit of Rapid Development 406
Use ActiveX and
understand the
Authenticode Security
Warning
137_hackapps_TOC 6/19/01 3:25 PM Page xx
Contents xxi
Understanding ColdFusion Markup
Language 408
Scalable Deployment 410
Open Integration 410
Preserving ColdFusion Security 411
Secure Development 414
CFINCLUDE 414
Queries 419
Uploaded Files 425
Denial of Service 425
Turning Off Tags 426
Secure Deployment 427
ColdFusion Application Processing 428
Checking for Existence of Data 428
Checking Data Types 430
Data Evaluation 433
Risks Associated with Using ColdFusion 435
Using Error Handling Programs 438
Monitor.cfm Example 441
Using Per-Session Tracking 444
Summary 447
Solutions Fast Track 448
Frequently Asked Questions 450
Chapter 11 Developing Security-Enabled
Applications 451
Introduction 452
The Benefits of Using Security-Enabled
Applications 453
Types of Security Used in Applications 454
Digital Signatures 455
Pretty Good Privacy 456
Secure Multipurpose Internet Mail Extension 459
Secure Sockets Layer 460
Server Authentication 462
Client Authentication 462
Digital Certificates 466
Write Secure
ColdFusion Code:
When writing a ColdFusion
application, you must look
out for a number of tags
that involve the movement
of data in ways that can be
attacked. In most cases,
validating the data sent to
a page will prevent them
from being misused. In
others, not allowing
attributes to be set
dynamically is the answer.
For each tag we examine,
another solution may be to
just turn the tag off (an
option controlled by the
administration panel).
Other tags can not be
turned off and must be
coded properly.
Select Cryptography
Token, Key Type, and
Key Length
137_hackapps_TOC 6/19/01 3:25 PM Page xxi
xxii Contents
Reviewing the Basics of PKI 468
Certificate Services 471
iPlanet by Sun/Netscape 472
Using PKI to Secure Web Applications 472
Implementing PKI in Your Web Infrastructure 473
Microsoft Certificate Services 474
Netscape Certificate Server 478
Installation of Netscape Certificate Server 478
Administering Netscape CMS 483
PKI for Apache Server 486
PKI and Secure Software Toolkits 487
Testing Your Security Implementation 488
Summary 492
Solutions Fast Track 493
Frequently Asked Questions 497
Chapter 12 Cradle to Grave: Working
with a Security Plan 499
Introduction 500
Examining Your Code 501
Code Reviews 502
Peer-to-Peer Code Reviews 504
Being Aware of Code Vulnerabilities 508
Testing,Testing,Testing 510
Using Common Sense When Coding 512
Planning 513
Coding Standards 514
Header Comments 514
Variable Declaration Comments 515
The Tools 516
Rule-Based Analyzers 516
Debugging and Error Handling 517
Version Control and Source Code
Tracking 518
Creating a Security Plan 520
Security Planning at the Network Level 522
Security Planning at the Application Level 523
Set up a checklist of
defects not easily
detected through
standard testing
methods for working
in a Java
environment:
■
Excessive copying of
strings—unnecessary
copies of immutable
objects
■
Failure to clone
returned objects
■
Unnecessary cloning
■
Copying arrays by hand
■
Copying the wrong
thing or making only a
partial copy
■
Testing new for null
■
Using == instead of
.equals
■
The confusion of
nonatomic and atomic
operations
■
The addition of
unnecessary
catchblocks
■
Failure to implement
equals, clone or
hashcode
137_hackapps_TOC 6/19/01 3:25 PM Page xxii
Contents xxiii
Security Planning at the Desktop Level 523
Web Application Security Process 524
Summary 527
Solutions Fast Track 528
Frequently Asked Questions 530
Appendix Hack Proofing Your Web
Applications Fast Track 533
Index 561
137_hackapps_TOC 6/19/01 3:25 PM Page xxiii
137_hackapps_TOC 6/19/01 3:25 PM Page xxiv