The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws [2nd edition] 9781118026472, 9781118175224, 9781118175248, 9781118175231, 1118026470

The highly successful security book returns with a new edition, completely updatedWeb applications are the front door to

271 26 14MB

English Pages 912 [914] Year 2011

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
The Web Application Hacker’s Handbook......Page 3
Contents......Page 11
Introduction......Page 25
Chapter 1 Web Application (In)security......Page 37
The Evolution of Web Applications......Page 38
Common Web Application Functions......Page 40
Benefits of Web Applications......Page 41
Web Application Security......Page 42
"This Site Is Secure"......Page 43
The Core Security Problem: Users Can Submit Arbitrary Input......Page 45
Key Problem Factors......Page 46
The New Security Perimeter......Page 48
The Future of Web Application Security......Page 50
Summary......Page 51
Chapter 2 Core Defense Mechanisms......Page 53
Authentication......Page 54
Session Management......Page 55
Access Control......Page 56
Varieties of Input......Page 57
Approaches to Input Handling......Page 59
Boundary Validation......Page 61
Multistep Validation and Canonicalization......Page 64
Handling Errors......Page 66
Maintaining Audit Logs......Page 67
Alerting Administrators......Page 69
Reacting to Attacks......Page 70
Managing the Application......Page 71
Questions......Page 72
The HTTP Protocol......Page 75
HTTP Requests......Page 76
HTTP Responses......Page 77
HTTP Methods......Page 78
REST......Page 80
HTTP Headers......Page 81
Cookies......Page 83
Status Codes......Page 84
HTTP Proxies......Page 85
HTTP Authentication......Page 86
Server-Side Functionality......Page 87
Client-Side Functionality......Page 93
Encoding Schemes......Page 102
Unicode Encoding......Page 103
HTML Encoding......Page 104
Hex Encoding......Page 105
Next Steps......Page 106
Questions......Page 107
Chapter 4 Mapping the Application......Page 109
Web Spidering......Page 110
User-Directed Spidering......Page 113
Discovering Hidden Content......Page 116
Application Pages Versus Functional Paths......Page 129
Discovering Hidden Parameters......Page 132
Analyzing the Application......Page 133
Identifying Entry Points for User Input......Page 134
Identifying Server-Side Technologies......Page 137
Identifying Server-Side Functionality......Page 143
Mapping the Attack Surface......Page 147
Questions......Page 150
Chapter 5 Bypassing Client-Side Controls......Page 153
Hidden Form Fields......Page 154
URL Parameters......Page 157
The Referer Header......Page 158
Opaque Data......Page 159
The ASP.NET ViewState......Page 160
Capturing User Data: HTML Forms......Page 163
Length Limits......Page 164
Script-Based Validation......Page 165
Disabled Elements......Page 167
Capturing User Data: Browser Extensions......Page 169
Common Browser Extension Technologies......Page 170
Intercepting Traffic from Browser Extensions......Page 171
Decompiling Browser Extensions......Page 175
Attaching a Debugger......Page 187
Native Client Components......Page 189
Transmitting Data Via the Client......Page 190
Validating Client-Generated Data......Page 191
Summary......Page 192
Questions......Page 193
Chapter 6 Attacking Authentication......Page 195
Authentication Technologies......Page 196
Bad Passwords......Page 197
Brute-Forcible Login......Page 198
Verbose Failure Messages......Page 202
Vulnerable Transmission of Credentials......Page 205
Password Change Functionality......Page 207
Forgotten Password Functionality......Page 209
"Remember Me" Functionality......Page 212
User Impersonation Functionality......Page 214
Incomplete Validation of Credentials......Page 216
Nonunique Usernames......Page 217
Predictable Usernames......Page 218
Predictable Initial Passwords......Page 219
Insecure Distribution of Credentials......Page 220
Fail-Open Login Mechanisms......Page 221
Defects in Multistage Login Mechanisms......Page 222
Insecure Storage of Credentials......Page 226
Securing Authentication......Page 227
Handle Credentials Secretively......Page 228
Validate Credentials Properly......Page 229
Prevent Information Leakage......Page 231
Prevent Brute-Force Attacks......Page 232
Prevent Misuse of the Account Recovery Function......Page 235
Summary......Page 237
Questions......Page 238
Chapter 7 Attacking Session Management......Page 241
The Need for State......Page 242
Alternatives to Sessions......Page 244
Meaningful Tokens......Page 246
Predictable Tokens......Page 249
Encrypted Tokens......Page 259
Weaknesses in Session Token Handling......Page 269
Disclosure of Tokens on the Network......Page 270
Disclosure of Tokens in Logs......Page 273
Vulnerable Mapping of Tokens to Sessions......Page 276
Vulnerable Session Termination......Page 277
Client Exposure to Token Hijacking......Page 279
Liberal Cookie Scope......Page 280
Generate Strong Tokens......Page 284
Protect Tokens Throughout Their Life Cycle......Page 286
Log, Monitor, and Alert......Page 289
Summary......Page 290
Questions......Page 291
Chapter 8 Attacking Access Controls......Page 293
Common Vulnerabilities......Page 294
Completely Unprotected Functionality......Page 295
Identifier-Based Functions......Page 297
Multistage Functions......Page 298
Static Files......Page 299
Platform Misconfiguration......Page 300
Insecure Access Control Methods......Page 301
Attacking Access Controls......Page 302
Testing with Different User Accounts......Page 303
Testing Multistage Processes......Page 307
Testing with Limited Access......Page 309
Testing Direct Access to Methods......Page 312
Testing Controls Over Static Resources......Page 313
Securing Access Controls......Page 314
A Multilayered Privilege Model......Page 316
Questions......Page 320
Chapter 9 Attacking Data Stores......Page 323
Bypassing a Login......Page 324
Injecting into SQL......Page 327
Exploiting a Basic Vulnerability......Page 328
Injecting into Different Statement Types......Page 330
Finding SQL Injection Bugs......Page 334
Fingerprinting the Database......Page 339
The UNION Operator......Page 340
Extracting Data with UNION......Page 344
Bypassing Filters......Page 347
Second-Order SQL Injection......Page 349
Advanced Exploitation......Page 350
Beyond SQL Injection: Escalating the Database Attack......Page 361
Using SQL Exploitation Tools......Page 364
SQL Syntax and Error Reference......Page 368
Preventing SQL Injection......Page 374
Injecting into NoSQL......Page 378
Injecting into MongoDB......Page 379
Injecting into XPath......Page 380
Subverting Application Logic......Page 381
Informed XPath Injection......Page 382
Blind XPath Injection......Page 383
Finding XPath Injection Flaws......Page 384
Injecting into LDAP......Page 385
Exploiting LDAP Injection......Page 387
Finding LDAP Injection Flaws......Page 389
Questions......Page 390
Chapter 10 Attacking Back-End Components......Page 393
Example 1: Injecting Via Perl......Page 394
Example 2: Injecting Via ASP......Page 396
Injecting Through Dynamic Execution......Page 398
Finding OS Command Injection Flaws......Page 399
Finding Dynamic Execution Vulnerabilities......Page 402
Preventing OS Command Injection......Page 403
Path Traversal Vulnerabilities......Page 404
File Inclusion Vulnerabilities......Page 417
Injecting into XML Interpreters......Page 419
Injecting XML External Entities......Page 420
Injecting into SOAP Services......Page 422
Finding and Exploiting SOAP Injection......Page 425
Server-side HTTP Redirection......Page 426
HTTP Parameter Injection......Page 429
Injecting into Mail Services......Page 433
E-mail Header Manipulation......Page 434
SMTP Command Injection......Page 435
Finding SMTP Injection Flaws......Page 436
Summary......Page 438
Questions......Page 439
Chapter 11 Attacking Application Logic......Page 441
Real-World Logic Flaws......Page 442
Example 1: Asking the Oracle......Page 443
Example 2: Fooling a Password Change Function......Page 445
Example 3: Proceeding to Checkout......Page 446
Example 4: Rolling Your Own Insurance......Page 448
Example 5: Breaking the Bank......Page 450
Example 6: Beating a Business Limit......Page 452
Example 7: Cheating on Bulk Discounts......Page 454
Example 8: Escaping from Escaping......Page 455
Example 9: Invalidating Input Validation......Page 456
Example 10: Abusing a Search Function......Page 458
Example 11: Snarfing Debug Messages......Page 460
Example 12: Racing Against the Login......Page 462
Avoiding Logic Flaws......Page 464
Summary......Page 465
Questions......Page 466
Chapter 12 Attacking Users: Cross-Site Scripting......Page 467
Varieties of XSS......Page 469
Reflected XSS Vulnerabilities......Page 470
Stored XSS Vulnerabilities......Page 474
DOM-Based XSS Vulnerabilities......Page 476
Real-World XSS Attacks......Page 478
Payloads for XSS Attacks......Page 479
Delivery Mechanisms for XSS Attacks......Page 483
Finding and Exploiting XSS Vulnerabilities......Page 487
Finding and Exploiting Reflected XSS Vulnerabilities......Page 488
Finding and Exploiting Stored XSS Vulnerabilities......Page 517
Finding and Exploiting DOM-Based XSS Vulnerabilities......Page 523
Preventing Reflected and Stored XSS......Page 528
Preventing DOM-Based XSS......Page 532
Questions......Page 534
Inducing User Actions......Page 537
Request Forgery......Page 538
UI Redress......Page 547
Capturing Data Cross-Domain......Page 551
Capturing Data by Injecting HTML......Page 552
Capturing Data by Injecting CSS......Page 553
JavaScript Hijacking......Page 555
The Same-Origin Policy Revisited......Page 560
The Same-Origin Policy and Browser Extensions......Page 561
The Same-Origin Policy and HTML5......Page 564
Crossing Domains with Proxy Service Applications......Page 565
HTTP Header Injection......Page 567
Cookie Injection......Page 572
Open Redirection Vulnerabilities......Page 576
Client-Side SQL Injection......Page 583
Client-Side HTTP Parameter Pollution......Page 584
Persistent Cookies......Page 586
Cached Web Content......Page 587
Autocomplete......Page 588
Silverlight Isolated Storage......Page 589
Preventing Local Privacy Attacks......Page 590
Attacking ActiveX Controls......Page 591
Finding ActiveX Vulnerabilities......Page 592
Preventing ActiveX Vulnerabilities......Page 594
Attacking the Browser......Page 595
Enumerating Currently Used Applications......Page 596
Attacking Other Network Hosts......Page 597
Exploiting Non-HTTP Services......Page 598
DNS Rebinding......Page 599
Browser Exploitation Frameworks......Page 600
Man-in-the-Middle Attacks......Page 602
Questions......Page 604
Chapter 14 Automating Customized Attacks......Page 607
Uses for Customized Automation......Page 608
Enumerating Valid Identifiers......Page 609
Detecting Hits......Page 610
Scripting the Attack......Page 612
JAttack......Page 613
Harvesting Useful Data......Page 619
Fuzzing for Common Vulnerabilities......Page 622
Putting It All Together: Burp Intruder......Page 626
Session-Handling Mechanisms......Page 638
CAPTCHA Controls......Page 646
Questions......Page 649
Exploiting Error Messages......Page 651
Script Error Messages......Page 652
Stack Traces......Page 653
Informative Debug Messages......Page 654
Server and Database Messages......Page 655
Using Public Information......Page 659
Engineering Informative Error Messages......Page 660
Gathering Published Information......Page 661
Using Inference......Page 662
Preventing Information Leakage......Page 663
Protect Sensitive Information......Page 664
Summary......Page 665
Questions......Page 666
Chapter 16 Attacking Native Compiled Applications......Page 669
Stack Overflows......Page 670
Heap Overflows......Page 671
"Off-by-One" Vulnerabilities......Page 672
Detecting Buffer Overflow Vulnerabilities......Page 675
Integer Overflows......Page 676
Signedness Errors......Page 677
Detecting Integer Vulnerabilities......Page 678
Format String Vulnerabilities......Page 679
Detecting Format String Vulnerabilities......Page 680
Questions......Page 681
Tiered Architectures......Page 683
Attacking Tiered Architectures......Page 684
Securing Tiered Architectures......Page 690
Shared Hosting and Application Service Providers......Page 692
Shared Application Services......Page 693
Attacking Shared Environments......Page 694
Securing Shared Environments......Page 701
Questions......Page 703
Chapter 18 Attacking the Application Server......Page 705
Default Credentials......Page 706
Default Content......Page 707
Directory Listings......Page 713
WebDAV Methods......Page 715
The Application Server as a Proxy......Page 718
Misconfigured Virtual Hosting......Page 719
Vulnerable Server Software......Page 720
Application Framework Flaws......Page 721
Memory Management Vulnerabilities......Page 723
Encoding and Canonicalization......Page 725
Finding Web Server Flaws......Page 730
Securing Web Server Software......Page 731
Web Application Firewalls......Page 733
Questions......Page 735
Chapter 19 Finding Vulnerabilities in Source Code......Page 737
Black-Box Versus White-Box Testing......Page 738
Code Review Methodology......Page 739
Cross-Site Scripting......Page 740
SQL Injection......Page 741
Path Traversal......Page 742
Arbitrary Redirection......Page 743
Backdoor Passwords......Page 744
Native Software Bugs......Page 745
Source Code Comments......Page 746
Identifying User-Supplied Data......Page 747
Session Interaction......Page 748
Potentially Dangerous APIs......Page 749
Configuring the Java Environment......Page 752
Identifying User-Supplied Data......Page 754
Session Interaction......Page 755
Potentially Dangerous APIs......Page 756
Configuring the ASP.NET Environment......Page 759
Identifying User-Supplied Data......Page 760
Potentially Dangerous APIs......Page 763
Configuring the PHP Environment......Page 768
Identifying User-Supplied Data......Page 771
Potentially Dangerous APIs......Page 772
Configuring the Perl Environment......Page 775
JavaScript......Page 776
SQL Injection......Page 777
Calls to Dangerous Functions......Page 778
Tools for Code Browsing......Page 779
Questions......Page 780
Chapter 20 A Web Application Hacker’s Toolkit......Page 783
Internet Explorer......Page 784
Firefox......Page 785
Chrome......Page 786
How the Tools Work......Page 787
Testing Work Flow......Page 805
Alternatives to the Intercepting Proxy......Page 807
Standalone Vulnerability Scanners......Page 809
Vulnerabilities Detected by Scanners......Page 810
Inherent Limitations of Scanners......Page 812
Technical Challenges Faced by Scanners......Page 814
Current Products......Page 817
Using a Vulnerability Scanner......Page 819
Hydra......Page 821
Custom Scripts......Page 822
Summary......Page 825
Chapter 21 A Web Application Hacker’s Methodology......Page 827
General Guidelines......Page 829
1.1 Explore Visible Content......Page 831
1.3 Discover Hidden Content......Page 832
1.5 Enumerate Identifier-Specified Functions......Page 833
2.1 Identify Functionality......Page 834
2.3 Identify the Technologies Used......Page 835
3 Test Client-Side Controls......Page 836
3.2 Test Client-Side Controls Over User Input......Page 837
3.3 Test Browser Extension Components......Page 838
4.1 Understand the Mechanism......Page 841
4.3 Test for Username Enumeration......Page 842
4.5 Test Any Account Recovery Function......Page 843
4.7 Test Any Impersonation Function......Page 844
4.9 Test Predictability of Autogenerated Credentials......Page 845
4.11 Check for Unsafe Distribution of Credentials......Page 846
4.13 Test for Logic Flaws......Page 847
4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access......Page 849
5.1 Understand the Mechanism......Page 850
5.2 Test Tokens for Meaning......Page 851
5.3 Test Tokens for Predictability......Page 852
5.5 Check for Disclosure of Tokens in Logs......Page 853
5.7 Test Session Termination......Page 854
5.8 Check for Session Fixation......Page 855
5.10 Check Cookie Scope......Page 856
6.1 Understand the Access Control Requirements......Page 857
6.3 Test with Limited Access......Page 858
6.4 Test for Insecure Access Control Methods......Page 859
7.1 Fuzz All Request Parameters......Page 860
7.2 Test for SQL Injection......Page 863
7.3 Test for XSS and Other Response Injection......Page 865
7.4 Test for OS Command Injection......Page 868
7.5 Test for Path Traversal......Page 869
7.7 Test for File Inclusion......Page 871
8.1 Test for SMTP Injection......Page 872
8.2 Test for Native Software Vulnerabilities......Page 873
8.4 Test for LDAP Injection......Page 875
8.5 Test for XPath Injection......Page 876
8.7 Test for XXE Injection......Page 877
9.2 Test Multistage Processes......Page 878
9.3 Test Handling of Incomplete Input......Page 879
9.5 Test Transaction Logic......Page 880
10.2 Test Segregation Between ASP-Hosted Applications......Page 881
11.1 Test for Default Credentials......Page 882
11.5 Test for Virtual Hosting Misconfiguration......Page 883
11.7 Test for Web Application Firewalling......Page 884
12.1 Check for DOM-Based Attacks......Page 885
12.2 Check for Local Privacy Vulnerabilities......Page 886
12.4 Check Same-Origin Policy Configuration......Page 887
13 Follow Up Any Information Leakage......Page 888
Index......Page 889

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws [2nd edition]
 9781118026472, 9781118175224, 9781118175248, 9781118175231, 1118026470

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Recommend Papers