The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws [2 ed.] 9781118026472, 1118026470

Table of contents :
Contents
Introduction
Chapter 1 Web Application (In)security
The Evolution of Web Applications
Common Web Application Functions
Benefits of Web Applications
Web Application Security
"This Site Is Secure"
The Core Security Problem: Users Can Submit Arbitrary Input
Key Problem Factors
The New Security Perimeter
The Future of Web Application Security
Summary
Chapter 2 Core Defense Mechanisms
Handling User Access
Authentication
Session Management
Access Control
Handling User Input
Varieties of Input
Approaches to Input Handling
Boundary Validation
Multistep Validation and Canonicalization
Handling Attackers
Handling Errors
Maintaining Audit Logs
Alerting Administrators
Reacting to Attacks
Managing the Application
Summary
Questions
Chapter 3 Web Application Technologies
The HTTP Protocol
HTTP Requests
HTTP Responses
HTTP Methods
URLs
REST
HTTP Headers
Cookies
Status Codes
HTTPS
HTTP Proxies
HTTP Authentication
Web Functionality
Server-Side Functionality
Client-Side Functionality
State and Sessions
Encoding Schemes
URL Encoding
Unicode Encoding
HTML Encoding
Base64 Encoding
Hex Encoding
Remoting and Serialization Frameworks
Next Steps
Questions
Chapter 4 Mapping the Application
Enumerating Content and Functionality
Web Spidering
User-Directed Spidering
Discovering Hidden Content
Application Pages Versus Functional Paths
Discovering Hidden Parameters
Analyzing the Application
Identifying Entry Points for User Input
Identifying Server-Side Technologies
Identifying Server-Side Functionality
Mapping the Attack Surface
Summary
Questions
Chapter 5 Bypassing Client-Side Controls
Transmitting Data Via the Client
Hidden Form Fields
HTTP Cookies
URL Parameters
The Referer Header
Opaque Data
The ASP.NET ViewState
Capturing User Data: HTML Forms
Length Limits
Script-Based Validation
Disabled Elements
Capturing User Data: Browser Extensions
Common Browser Extension Technologies
Approaches to Browser Extensions
Intercepting Traffic from Browser Extensions
Decompiling Browser Extensions
Attaching a Debugger
Native Client Components
Handling Client-Side Data Securely
Transmitting Data Via the Client
Validating Client-Generated Data
Logging and Alerting
Summary
Questions
Chapter 6 Attacking Authentication
Authentication Technologies
Design Flaws in Authentication Mechanisms
Bad Passwords
Brute-Forcible Login
Verbose Failure Messages
Vulnerable Transmission of Credentials
Password Change Functionality
Forgotten Password Functionality
"Remember Me" Functionality
User Impersonation Functionality
Incomplete Validation of Credentials
Nonunique Usernames
Predictable Usernames
Predictable Initial Passwords
Insecure Distribution of Credentials
Implementation Flaws in Authentication
Fail-Open Login Mechanisms
Defects in Multistage Login Mechanisms
Insecure Storage of Credentials
Securing Authentication
Use Strong Credentials
Handle Credentials Secretively
Validate Credentials Properly
Prevent Information Leakage
Prevent Brute-Force Attacks
Prevent Misuse of the Password Change Function
Prevent Misuse of the Account Recovery Function
Log, Monitor, and Notify
Summary
Questions
Chapter 7 Attacking Session Management
The Need for State
Alternatives to Sessions
Weaknesses in Token Generation
Meaningful Tokens
Predictable Tokens
Encrypted Tokens
Weaknesses in Session Token Handling
Disclosure of Tokens on the Network
Disclosure of Tokens in Logs
Vulnerable Mapping of Tokens to Sessions
Vulnerable Session Termination
Client Exposure to Token Hijacking
Liberal Cookie Scope
Securing Session Management
Generate Strong Tokens
Protect Tokens Throughout Their Life Cycle
Log, Monitor, and Alert
Summary
Questions
Chapter 8 Attacking Access Controls
Common Vulnerabilities
Completely Unprotected Functionality
Identifier-Based Functions
Multistage Functions
Static Files
Platform Misconfiguration
Insecure Access Control Methods
Attacking Access Controls
Testing with Different User Accounts
Testing Multistage Processes
Testing with Limited Access
Testing Direct Access to Methods
Testing Controls Over Static Resources
Testing Restrictions on HTTP Methods
Securing Access Controls
A Multilayered Privilege Model
Summary
Questions
Chapter 9 Attacking Data Stores
Injecting into Interpreted Contexts
Bypassing a Login
Injecting into SQL
Exploiting a Basic Vulnerability
Injecting into Different Statement Types
Finding SQL Injection Bugs
Fingerprinting the Database
The UNION Operator
Extracting Useful Data
Extracting Data with UNION
Bypassing Filters
Second-Order SQL Injection
Advanced Exploitation
Beyond SQL Injection: Escalating the Database Attack
Using SQL Exploitation Tools
SQL Syntax and Error Reference
Preventing SQL Injection
Injecting into NoSQL
Injecting into MongoDB
Injecting into XPath
Subverting Application Logic
Informed XPath Injection
Blind XPath Injection
Finding XPath Injection Flaws
Preventing XPath Injection
Injecting into LDAP
Exploiting LDAP Injection
Finding LDAP Injection Flaws
Preventing LDAP Injection
Summary
Questions
Chapter 10 Attacking Back-End Components
Injecting OS Commands
Example 1: Injecting Via Perl
Example 2: Injecting Via ASP
Injecting Through Dynamic Execution
Finding OS Command Injection Flaws
Finding Dynamic Execution Vulnerabilities
Preventing OS Command Injection
Preventing Script Injection Vulnerabilities
Manipulating File Paths
Path Traversal Vulnerabilities
File Inclusion Vulnerabilities
Injecting into XML Interpreters
Injecting XML External Entities
Injecting into SOAP Services
Finding and Exploiting SOAP Injection
Preventing SOAP Injection
Injecting into Back-end HTTP Requests
Server-side HTTP Redirection
HTTP Parameter Injection
Injecting into Mail Services
E-mail Header Manipulation
SMTP Command Injection
Finding SMTP Injection Flaws
Preventing SMTP Injection
Summary
Questions
Chapter 11 Attacking Application Logic
The Nature of Logic Flaws
Real-World Logic Flaws
Example 1: Asking the Oracle
Example 2: Fooling a Password Change Function
Example 3: Proceeding to Checkout
Example 4: Rolling Your Own Insurance
Example 5: Breaking the Bank
Example 6: Beating a Business Limit
Example 7: Cheating on Bulk Discounts
Example 8: Escaping from Escaping
Example 9: Invalidating Input Validation
Example 10: Abusing a Search Function
Example 11: Snarfing Debug Messages
Example 12: Racing Against the Login
Avoiding Logic Flaws
Summary
Questions
Chapter 12 Attacking Users: Cross-Site Scripting
Varieties of XSS
Reflected XSS Vulnerabilities
Stored XSS Vulnerabilities
DOM-Based XSS Vulnerabilities
XSS Attacks in Action
Real-World XSS Attacks
Payloads for XSS Attacks
Delivery Mechanisms for XSS Attacks
Finding and Exploiting XSS Vulnerabilities
Finding and Exploiting Reflected XSS Vulnerabilities
Finding and Exploiting Stored XSS Vulnerabilities
Finding and Exploiting DOM-Based XSS Vulnerabilities
Preventing XSS Attacks
Preventing Reflected and Stored XSS
Preventing DOM-Based XSS
Summary
Questions
Chapter 13 Attacking Users: Other Techniques
Inducing User Actions
Request Forgery
UI Redress
Capturing Data Cross-Domain
Capturing Data by Injecting HTML
Capturing Data by Injecting CSS
JavaScript Hijacking
The Same-Origin Policy Revisited
The Same-Origin Policy and Browser Extensions
The Same-Origin Policy and HTML5
Crossing Domains with Proxy Service Applications
Other Client-Side Injection Attacks
HTTP Header Injection
Cookie Injection
Open Redirection Vulnerabilities
Client-Side SQL Injection
Client-Side HTTP Parameter Pollution
Local Privacy Attacks
Persistent Cookies
Cached Web Content
Browsing History
Autocomplete
Flash Local Shared Objects
Silverlight Isolated Storage
Internet Explorer userData
HTML5 Local Storage Mechanisms
Preventing Local Privacy Attacks
Attacking ActiveX Controls
Finding ActiveX Vulnerabilities
Preventing ActiveX Vulnerabilities
Attacking the Browser
Logging Keystrokes
Stealing Browser History and Search Queries
Enumerating Currently Used Applications
Port Scanning
Attacking Other Network Hosts
Exploiting Non-HTTP Services
Exploiting Browser Bugs
DNS Rebinding
Browser Exploitation Frameworks
Man-in-the-Middle Attacks
Summary
Questions
Chapter 14 Automating Customized Attacks
Uses for Customized Automation
Enumerating Valid Identifiers
The Basic Approach
Detecting Hits
Scripting the Attack
JAttack
Harvesting Useful Data
Fuzzing for Common Vulnerabilities
Putting It All Together: Burp Intruder
Barriers to Automation
Session-Handling Mechanisms
CAPTCHA Controls
Summary
Questions
Chapter 15 Exploiting Information Disclosure
Exploiting Error Messages
Script Error Messages
Stack Traces
Informative Debug Messages
Server and Database Messages
Using Public Information
Engineering Informative Error Messages
Gathering Published Information
Using Inference
Preventing Information Leakage
Use Generic Error Messages
Protect Sensitive Information
Minimize Client-Side Information Leakage
Summary
Questions
Chapter 16 Attacking Native Compiled Applications
Buffer Overflow Vulnerabilities
Stack Overflows
Heap Overflows
"Off-by-One" Vulnerabilities
Detecting Buffer Overflow Vulnerabilities
Integer Vulnerabilities
Integer Overflows
Signedness Errors
Detecting Integer Vulnerabilities
Format String Vulnerabilities
Detecting Format String Vulnerabilities
Summary
Questions
Chapter 17 Attacking Application Architecture
Tiered Architectures
Attacking Tiered Architectures
Securing Tiered Architectures
Shared Hosting and Application Service Providers
Virtual Hosting
Shared Application Services
Attacking Shared Environments
Securing Shared Environments
Summary
Questions
Chapter 18 Attacking the Application Server
Vulnerable Server Configuration
Default Credentials
Default Content
Directory Listings
WebDAV Methods
The Application Server as a Proxy
Misconfigured Virtual Hosting
Securing Web Server Configuration
Vulnerable Server Software
Application Framework Flaws
Memory Management Vulnerabilities
Encoding and Canonicalization
Finding Web Server Flaws
Securing Web Server Software
Web Application Firewalls
Summary
Questions
Chapter 19 Finding Vulnerabilities in Source Code
Approaches to Code Review
Black-Box Versus White-Box Testing
Code Review Methodology
Signatures of Common Vulnerabilities
Cross-Site Scripting
SQL Injection
Path Traversal
Arbitrary Redirection
OS Command Injection
Backdoor Passwords
Native Software Bugs
Source Code Comments
The Java Platform
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the Java Environment
ASP.NET
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the ASP.NET Environment
PHP
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the PHP Environment
Perl
Identifying User-Supplied Data
Session Interaction
Potentially Dangerous APIs
Configuring the Perl Environment
JavaScript
Database Code Components
SQL Injection
Calls to Dangerous Functions
Tools for Code Browsing
Summary
Questions
Chapter 20 A Web Application Hacker’s Toolkit
Web Browsers
Internet Explorer
Firefox
Chrome
Integrated Testing Suites
How the Tools Work
Testing Work Flow
Alternatives to the Intercepting Proxy
Standalone Vulnerability Scanners
Vulnerabilities Detected by Scanners
Inherent Limitations of Scanners
Technical Challenges Faced by Scanners
Current Products
Using a Vulnerability Scanner
Other Tools
Wikto/Nikto
Firebug
Hydra
Custom Scripts
Summary
Chapter 21 A Web Application Hacker’s Methodology
General Guidelines
1 Map the Application’s Content
1.1 Explore Visible Content
1.2 Consult Public Resources
1.3 Discover Hidden Content
1.4 Discover Default Content
1.5 Enumerate Identifier-Specified Functions
1.6 Test for Debug Parameters
2 Analyze the Application
2.1 Identify Functionality
2.2 Identify Data Entry Points
2.3 Identify the Technologies Used
2.4 Map the Attack Surface
3 Test Client-Side Controls
3.1 Test Transmission of Data Via the Client
3.2 Test Client-Side Controls Over User Input
3.3 Test Browser Extension Components
4 Test the Authentication Mechanism
4.1 Understand the Mechanism
4.2 Test Password Quality
4.3 Test for Username Enumeration
4.4 Test Resilience to Password Guessing
4.5 Test Any Account Recovery Function
4.6 Test Any Remember Me Function
4.7 Test Any Impersonation Function
4.8 Test Username Uniqueness
4.9 Test Predictability of Autogenerated Credentials
4.10 Check for Unsafe Transmission of Credentials
4.11 Check for Unsafe Distribution of Credentials
4.12 Test for Insecure Storage
4.13 Test for Logic Flaws
4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access
5 Test the Session Management Mechanism
5.1 Understand the Mechanism
5.2 Test Tokens for Meaning
5.3 Test Tokens for Predictability
5.4 Check for Insecure Transmission of Tokens
5.5 Check for Disclosure of Tokens in Logs
5.6 Check Mapping of Tokens to Sessions
5.7 Test Session Termination
5.8 Check for Session Fixation
5.9 Check for CSRF
5.10 Check Cookie Scope
6 Test Access Controls
6.1 Understand the Access Control Requirements
6.2 Test with Multiple Accounts
6.3 Test with Limited Access
6.4 Test for Insecure Access Control Methods
7 Test for Input-Based Vulnerabilities
7.1 Fuzz All Request Parameters
7.2 Test for SQL Injection
7.3 Test for XSS and Other Response Injection
7.4 Test for OS Command Injection
7.5 Test for Path Traversal
7.6 Test for Script Injection
7.7 Test for File Inclusion
8 Test for Function-Specific Input Vulnerabilities
8.1 Test for SMTP Injection
8.2 Test for Native Software Vulnerabilities
8.3 Test for SOAP Injection
8.4 Test for LDAP Injection
8.5 Test for XPath Injection
8.6 Test for Back-End Request Injection
8.7 Test for XXE Injection
9 Test for Logic Flaws
9.1 Identify the Key Attack Surface
9.2 Test Multistage Processes
9.3 Test Handling of Incomplete Input
9.4 Test Trust Boundaries
9.5 Test Transaction Logic
10 Test for Shared Hosting Vulnerabilities
10.1 Test Segregation in Shared Infrastructures
10.2 Test Segregation Between ASP-Hosted Applications
11 Test for Application Server Vulnerabilities
11.1 Test for Default Credentials
11.2 Test for Default Content
11.3 Test for Dangerous HTTP Methods
11.4 Test for Proxy Functionality
11.5 Test for Virtual Hosting Misconfiguration
11.6 Test for Web Server Software Bugs
11.7 Test for Web Application Firewalling
12 Miscellaneous Checks
12.1 Check for DOM-Based Attacks
12.2 Check for Local Privacy Vulnerabilities
12.3 Check for Weak SSL Ciphers
12.4 Check Same-Origin Policy Configuration
13 Follow Up Any Information Leakage
Index