[PDF] The Web Application Hackers Handbook: Discovering and

View - Download The Web Application Hackers Handbook: Discovering and

Previous PDF

Next PDF

Dafydd StuttardMarcus Pinto

The Web Application

Hacker"s Handbook

Discovering and Exploiting Security FlawsWiley Publishing, Inc.

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii

Dafydd StuttardMarcus Pinto

The Web Application

Hacker"s Handbook

Discovering and Exploiting Security Flaws

Wiley Publishing, Inc.

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

Published by

Wiley Publishing, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

www.wiley.com Copyright © 2008 by Dafydd Stuttard and Marcus Pinto. Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-17077-9

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form

or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright

Act, without either the prior

written permission of the Publisher, or authorization through payment of the appropriate per-copy fee

to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)

646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley

Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 57

2-4355, or

online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty:The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitn ess for a particular purpose. No

warranty may be created or extended by sales or promotional materials. The advice and strategies con-

tained herein may not be suitable for every situation. This work is sold with the understanding that the

publisher is not engaged in rendering legal, accounting, or other professional services. If professional

assistance is required, the services of a competent professional person should be sought. Neither the

publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or

Website is referred to in this work as a citation and/or a potential source of further information does

not mean that the author or the publisher endorses the information the o rganization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please con-

tact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (

317) 572-3993

or fax (317) 572-4002. Library of Congress Cataloging-in-Publication Data

Stuttard, Dafydd, 1972-

The web application hacker's handbook : discovering and exploiting secur ity flaws / Dafydd Stut- tard, Marcus Pinto. p. cm.

Includes index.

ISBN 978-0-470-17077-9 (pbk.)

1. Internet--Security measures. 2. Computer security. I. Pinto, Marcus, 1978- II. Title.

TK5105.875.I57S85 2008

005.8--dc22

2007029983

Trademarks:Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written p ermission. All other trade-

marks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any

product or vendor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may

not be available in electronic books.

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii

iii Dafydd Stuttardis a Principal Security Consultant at Next Generation Secu- rity Software, where he leads the web application security competency. He has nine years' experience in security consulting and specializes in the penetration testing of web applications and compiled software. Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to several software manufacturers and governments to help secure their com- piled software. Dafydd is an accomplished programmer in several languages, and his interests include developing tools to facilitate all kinds of software security testing. Dafydd has developed and presented training courses at the Black Hat secu- rity conferences around the world. Under the alias "PortSwigger," Dafydd cre- ated the popular Burp Suite of web application hacking tools. Dafydd hol ds master's and doctorate degrees in philosophy from the University of Oxford. Marcus Pintois a Principal Security Consultant at Next Generation Security Software, where he leads the database competency development team, and has lead the development of NGS' primary training courses. He has eig ht years' experience in security consulting and specializes in penetrati on testing of web applications and supporting architectures. Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development projects of several security-critical applications. He has worked extensively with large-scale web application deployments in the financial ser- vices industry. Marcus has developed and presented database and web application train- ing courses at the Black Hat and other security conferences around the world. Marcus holds a master's degree in physics from the University of Cambridge.

About the Authors

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iii

Executive Editor

Carol Long

Development Editor

Adaobi Obi Tulton

Production Editor

Christine O"Connor

Copy Editor

Foxxe Editorial Services

Editorial Manager

Mary Beth Wakefield

Production Manager

Tim Tate

Vice President and Executive Group

Publisher

Richard SwadleyVice President and Executive PublisherJoseph B. Wikert

Project Coordinator, Cover

Lynsey Osborn

Compositor

Happenstance Type-O-Rama

Proofreader

Kathryn Duggan

Indexer

Johnna VanHoose Dinse

Anniversary Logo Design

Richard Pacifico

Credits

iv

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iv

Acknowledgmentsxxiii

Introductionxxv

Chapter 1 Web Application (In)security1

The Evolution of Web Applications2

Common Web Application Functions3

Benefits of Web Applications4

Web Application Security5

“This Site Is Secure"6

The Core Security Problem: Users Can Submit Arbitrary Input 8

Key Problem Factors9

Immature Security Awareness9

In-House Development9

Deceptive Simplicity9

Rapidly Evolving Threat Profile10

Resource and Time Constraints10

Overextended Technologies10

The New Security Perimeter10

The Future of Web Application Security12

Chapter Summary13

Chapter 2 Core Defense Mechanisms15

Handling User Access16

Authentication16

Session Management17

Access Control18

Handling User Input19

Varieties of Input20

Approaches to Input Handling21

Contents

v

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page v

"Reject Known Bad"21 "Accept Known Good"21

Sanitization22

Safe Data Handling22

Semantic Checks23

Boundary Validation23

Multistep Validation and Canonicalization26

Handling Attackers27

Handling Errors27

Maintaining Audit Logs29

Alerting Administrators30

Reacting to Attacks31

Managing the Application32

Chapter Summary33

Questions34

Chapter 3 Web Application Technologies35

The HTTP Protocol35

HTTP Requests36

HTTP Responses37

HTTP Methods38

URLs40

HTTP Headers41

General Headers41

Request Headers41

Response Headers42

Cookies43

Status Codes44

HTTPS45

HTTP Proxies46

HTTP Authentication47

Web Functionality47

Server-Side Functionality48

The Java Platform 49

ASP.NET50

PHP50

Client-Side Functionality51

HTML51

Hyperlinks51

Forms52

JavaScript54

Thick Client Components54

State and Sessions55

Encoding Schemes56

URL Encoding56

Unicode Encoding57

vi Contents

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vi

HTML Encoding57

Base64 Encoding58

Hex Encoding 59

Next Steps59

Questions59

Chapter 4 Mapping the Application61

Enumerating Content and Functionality62

Web Spidering62

User-Directed Spidering65

Discovering Hidden Content67

Brute-Force Techniques67

Inference from Published Content70

Use of Public Information72

Leveraging the Web Server 75

Application Pages vs. Functional Paths76

Discovering Hidden Parameters79

Analyzing the Application79

Identifying Entry Points for User Input80

Identifying Server-Side Technologies82

Banner Grabbing82

HTTP Fingerprinting82

File Extensions84

Directory Names86

Session Tokens86

Third-Party Code Components87

Identifying Server-Side Functionality88

Dissecting Requests88

Extrapolating Application Behavior90

Mapping the Attack Surface91

Chapter Summary92

Questions93

Chapter 5 Bypassing Client-Side Controls95

Transmitting Data via the Client95

Hidden Form Fields96

HTTP Cookies99

URL Parameters99

The Referer Header100

Opaque Data101

The ASP.NET ViewState102

Capturing User Data: HTML Forms106

Length Limits106

Script-Based Validation108

Disabled Elements110

Capturing User Data: Thick-Client Components111

Java Applets112

Contents vii

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vii

Decompiling Java Bytecode114

Coping with Bytecode Obfuscation117

ActiveX Controls119

Reverse Engineering120

Manipulating Exported Functions122

Fixing Inputs Processed by Controls123

Decompiling Managed Code124

Shockwave Flash Objects124

Handling Client-Side Data Securely128

Transmitting Data via the Client128

Validating Client-Generated Data129

Logging and Alerting131

Chapter Summary131

Questions132

Chapter 6 Attacking Authentication133

Authentication Technologies134

Design Flaws in Authentication Mechanisms135

Bad Passwords135

Brute-Forcible Login136

Verbose Failure Messages139

Vulnerable Transmission of Credentials142

Password Change Functionality144

Forgotten Password Functionality145

"Remember Me" Functionality148

User Impersonation Functionality149

Incomplete Validation of Credentials152

Non-Unique Usernames152

Predictable Usernames154

Predictable Initial Passwords154

Insecure Distribution of Credentials155

Implementation Flaws in Authentication 156

Fail-Open Login Mechanisms156

Defects in Multistage Login Mechanisms157

Insecure Storage of Credentials161

Securing Authentication 162

Use Strong Credentials162

Handle Credentials Secretively163

Validate Credentials Properly164

Prevent Information Leakage166

Prevent Brute-Force Attacks167

Prevent Misuse of the Password Change Function170

Prevent Misuse of the Account Recovery Function170

Log, Monitor, and Notify172

Chapter Summary172

viii Contents

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page viii

Chapter 7 Attacking Session Management175

The Need for State176

Alternatives to Sessions178

Weaknesses in Session Token Generation 180

Meaningful Tokens180

Predictable Tokens182

Concealed Sequences184

Time Dependency 185

Weak Random Number Generation187

Weaknesses in Session Token Handling191

Disclosure of Tokens on the Network192

Disclosure of Tokens in Logs196

Vulnerable Mapping of Tokens to Sessions198

Vulnerable Session Termination200

Client Exposure to Token Hijacking201

Liberal Cookie Scope203

Cookie Domain Restrictions203

Cookie Path Restrictions205

Securing Session Management206

Generate Strong Tokens206

Protect Tokens throughout Their Lifecycle208

Per-Page Tokens211

Log, Monitor, and Alert212

Reactive Session Termination212

Chapter Summary213

Questions214

Chapter 8 Attacking Access Controls217

Common Vulnerabilities218

Completely Unprotected Functionality219

Identifier-Based Functions220

Multistage Functions222

Static Files222

Insecure Access Control Methods223

Attacking Access Controls 224

Securing Access Controls 228

A Multi-Layered Privilege Model231

Chapter Summary234

Questions235

Chapter 9 Injecting Code237

Injecting into Interpreted Languages238

Injecting into SQL240

Exploiting a Basic Vulnerability241

Bypassing a Login243

Finding SQL Injection Bugs244

Injecting into Different Statement Types247

Contents ix

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page ix

The UNION Operator251

Fingerprinting the Database255

Extracting Useful Data256

An Oracle Hack257

An MS-SQL Hack260

Exploiting ODBC Error Messages (MS-SQL Only)262

Enumerating Table and Column Names263

Extracting Arbitrary Data265

Using Recursion266

Bypassing Filters267

Second-Order SQL Injection271

Advanced Exploitation272

Retrieving Data as Numbers273

Using an Out-of-Band Channel274

Using Inference: Conditional Responses277

Beyond SQL Injection: Escalating the Database Attack285

MS-SQL286

Oracle288

MySQL288

SQL Syntax and Error Reference 289

SQL Syntax290

SQL Error Messages292

Preventing SQL Injection296

Partially Effective Measures 296

Parameterized Queries297

Defense in Depth299

Injecting OS Commands300

Example 1: Injecting via Perl300

Example 2: Injecting via ASP302

Finding OS Command Injection Flaws304

Preventing OS Command Injection307

Injecting into Web Scripting Languages307

Dynamic Execution Vulnerabilities307

Dynamic Execution in PHP308

Dynamic Execution in ASP308

Finding Dynamic Execution Vulnerabilities309

File Inclusion Vulnerabilities310

Remote File Inclusion310

Local File Inclusion311

Finding File Inclusion Vulnerabilities312

Preventing Script Injection Vulnerabilities312

Injecting into SOAP313

Finding and Exploiting SOAP Injection315

Preventing SOAP Injection316

Injecting into XPath316

Subverting Application Logic317

x Contents

70779toc.qxd:WileyRed 9/16/07 5:07 PM Page x

Informed XPath Injection318

Blind XPath Injection319

Finding XPath Injection Flaws320

Preventing XPath Injection321

Injecting into SMTP321

Email Header Manipulation322

SMTP Command Injection323

Finding SMTP Injection Flaws324

Preventing SMTP Injection326

Injecting into LDAP326

Injecting Query Attributes327

Modifying the Search Filter328

Finding LDAP Injection Flaws329

Preventing LDAP Injection330

Chapter Summary331

Questions331

Chapter 10 Exploiting Path Traversal333

Common Vulnerabilities333

Finding and Exploiting Path Traversal Vulnerabilities 335

Locating Targets for Attack335

Detecting Path Traversal Vulnerabilities336

Circumventing Obstacles to Traversal Attacks339

Coping with Custom Encoding342

Exploiting Traversal Vulnerabilities344

Preventing Path Traversal Vulnerabilities344

Chapter Summary346

Questions346

Chapter 11 Attacking Application Logic349

The Nature of Logic Flaws350

Real-World Logic Flaws350

Example 1: Fooling a Password Change Function351

The Functionality351

The Assumption351

The Attack352

Example 2: Proceeding to Checkout352

The Functionality352

quotesdbs_dbs14.pdfusesText_20

[PDF] the most drastic step a manager can take in response to an employee offense is ________.

[PDF] the national k 12 foreign language enrollment survey report 2018

[PDF] the national k 16 foreign language enrollment survey report

[PDF] the nature of code pdf download

[PDF] the netflix recommender system

[PDF] the neuroscience of joyful education

[PDF] the new c standard

[PDF] the new oxford picture dictionary (english spanish edition)

[PDF] the new oxford picture dictionary download

[PDF] the new oxford picture dictionary english chinese pdf

[PDF] the new oxford picture dictionary english spanish pdf free

[PDF] the new oxford picture dictionary monolingual english edition

[PDF] the new oxford picture dictionary spanish pdf

[PDF] the new school waitlist

[PDF] the new york times guide to the best 1