Hacking Web Apps: Detecting and Preventing Web Application Security Problems [1 ed.] 159749951X, 9781597499514

Table of contents :
Hacking Web Apps......Page 0
Hacking Web Apps......Page 3
Copyright ......Page 5
About the Author......Page 6
Acknowledgements......Page 7
Introduction......Page 8
BOOK AUDIENCE......Page 9
HOW THIS BOOK IS ORGANIZED......Page 13
WHERE TO GO FROM HERE......Page 14
1 HTML5......Page 16
The New Document Object Model (DOM)......Page 17
Cross-Origin Resource Sharing (CORS)......Page 18
WebSockets......Page 21
Transferring Data......Page 25
Data Frames......Page 26
Security Considerations......Page 28
Web Storage......Page 29
Web Workers......Page 31
History API......Page 34
Summary......Page 35
HTML Injection & Cross-Site Scripting (XSS)......Page 37
Understanding HTML Injection......Page 38
Identifying Points of Injection......Page 44
Form Fields......Page 45
HTTP Request Headers & Cookies......Page 47
JavaScript Object Notation (JSON)......Page 48
Document Object Model (DOM) Properties......Page 49
Cascading Style Sheets (CSS)......Page 50
Ephemeral......Page 51
Out of Band......Page 52
Element Attributes......Page 56
JavaScript Variables......Page 58
Putting the Hack Together......Page 59
Abusing Character Sets......Page 62
Encoding 0X00—Nothing Really Matters......Page 64
Why Encoding Matters for HTML Injection......Page 68
Exploiting Failure Modes......Page 70
Bypassing Weak Exclusion Lists......Page 73
Leveraging Browser Quirks......Page 74
The Unusual Suspects......Page 77
Surprising MIME Types......Page 78
SVG Markup......Page 79
Data Redirection......Page 80
Employing Countermeasures......Page 81
Fixing a Static Character Set......Page 82
Normalizing Character Sets and Encoding......Page 83
Encoding the Output......Page 84
Beware of Exclusion Lists and Regexes......Page 85
JavaScript Sandboxes......Page 87
HTML5 Sandboxes......Page 88
Browsers’ Built-In XSS Defenses......Page 90
Summary......Page 92
3 Cross-Site Request Forgery (CSRF)......Page 93
Understanding Cross-Site Request Forgery......Page 94
The Mechanics of CSRF......Page 97
Request Forgery via Forced Browsing......Page 99
POST Forgery......Page 100
The Madness of Methods......Page 101
Dangerous Liaison: CSRF and HTML Injection......Page 103
Be Wary of the Tangled Web......Page 104
Variation on a Theme: Clickjacking......Page 105
Employing Countermeasures......Page 107
A Dependable Origin......Page 108
An Unreliable Referer1......Page 110
Custom Headers: X-Marks-the-Spot......Page 112
Shared Secrets......Page 113
Mirror the Cookie......Page 114
Understanding Same Origin Policy......Page 115
Anti-Framing via JavaScript......Page 116
Defending the Web Browser......Page 117
Summary......Page 118
4 SQL Injection & Data Store Manipulation......Page 120
Understanding SQL Injection......Page 122
Hacking Tangents: Mathematical and Grammatical......Page 125
Breaking SQL Statements......Page 126
Breaking Naive Defenses......Page 128
Exploiting Errors......Page 130
Inference......Page 133
Data Truncation......Page 134
Extracting Information with Stacked Queries......Page 135
Controlling the Database & Operating System......Page 136
Alternate Attack Vectors......Page 138
Real-World SQL Injection......Page 139
HTML5’s Web Storage API......Page 140
SQL Injection Without SQL......Page 141
Employing Countermeasures......Page 143
Securing the Statement......Page 144
Parameterized Queries......Page 145
Stored Procedures......Page 149
Protecting Information......Page 150
Encrypting Data......Page 151
Stay Current with Database Patches......Page 152
Summary......Page 153
5 Breaking Authentication Schemes......Page 154
Replaying the Session Token......Page 155
Reverse Engineering the Session Token......Page 157
Brute Force......Page 158
Sniffing......Page 159
Cross-Site Scripting (XSS)......Page 162
SQL Injection......Page 163
Gulls & Gullibility......Page 164
Employing Countermeasures......Page 165
Protect Session Cookies......Page 166
Regenerate Random Session Tokens......Page 167
Cryptographically Hash the Password......Page 168
Protecting Passwords in Transit......Page 170
Password Recovery......Page 171
OAuth 2.0......Page 172
OpenID......Page 173
HTTP Strict-Transport-Security (HSTS)......Page 174
Reinforce Security Boundaries......Page 176
Escalating Authentication Requirements......Page 177
Request Throttling......Page 178
Defeating Phishing......Page 179
Summary......Page 181
6 Abusing Design Deficiencies......Page 183
Understanding Logic & Design Attacks......Page 186
Exploiting Policies & Practices......Page 187
Induction......Page 192
Ambiguity, Undefined, & Unexpected Behavior......Page 195
Inadequate Data Sanitization......Page 197
Incorrect Normalization & Synonymous Syntax......Page 198
Insufficient Randomness......Page 200
XOR......Page 201
Attacking Encryption with Replay & Bit-Flipping......Page 205
Message Authentication Code Length-Extension Attacks......Page 207
Information Sieves......Page 213
Documenting Requirements......Page 214
Security Testing......Page 215
Mapping Policies to Controls......Page 216
Encryption Guidelines......Page 217
Summary......Page 218
7 Leveraging Platform Weaknesses......Page 220
Recognizing Patterns, Structures, & Developer Quirks......Page 221
Relying on HTML & JavaScript to Remain Hidden......Page 222
Authorization By Obfuscation......Page 223
Pattern Recognition......Page 226
File Access & Path Traversal......Page 227
Predictable Identifiers......Page 228
Inside the Pseudo-Random Number Generator (PRNG)......Page 229
Creating a Phase Space Graph......Page 231
The Fallacy of Complex Manipulation......Page 234
Poor Security Context......Page 235
Targeting the Operating System......Page 236
Executing Shell Commands......Page 237
Loading Commands Remotely......Page 240
Denial of Service......Page 241
Network......Page 242
Regular Expressions......Page 243
Hash Collisions......Page 244
Restricting file Access......Page 246
Blacklisting Insecure Functions......Page 247
Web Application Firewalls......Page 248
Summary......Page 249
8 Browser & Privacy Attacks......Page 250
Understanding Malware and Browser Attacks......Page 251
Malware......Page 252
User-Agent......Page 254
Plugging in to Browser Plugins......Page 255
Malicious Plugins......Page 256
DNS and Origins......Page 257
Cross-Document Messaging......Page 258
Tracking Tokens......Page 260
Browser Fingerprinting......Page 262
Extended Verification Certificates......Page 263
Inconsistent Mobile Security......Page 265
Configure SSL/TLS Securely......Page 269
Safer Browsing......Page 270
Tor......Page 271
Summary......Page 272
B......Page 274
C......Page 275
E......Page 276
H......Page 277
I......Page 278
M......Page 279
P......Page 280
R......Page 281
S......Page 282
W......Page 283
X......Page 284